1.Explain about Information security project management.

As the organization knows its vision and objectives, the next step is to create the project plan.
A project plan is an instructions provided related to the plan,individually to those who are
executing the implementation phase.
The major steps in executing the project plan are as follows:
• Planning the project
• Supervising tasks and action steps
• Wrapping up
A project plan can be developed using different methods.Every organization has its own
method to determine its IT and information security projects. Whenever possible, information
security projects should follow the organization’s project management practices.
Steps in Information Security Project Management
1. Developing the Project Plan
2. Project Planning Considerations
3. Scope Considerations
4. The Need for Project Management
1.Developing the Project Plan
A detailed project plan should be determined to implement the project and the creation of the
project plan should be assigned to either a project manager or the project champion. This
individual manages the project and delegates parts of it to other decision makers. Often the
project manager is from the IT community of interest, because most other employees lack the
requisite information security background and the appropriate management authority and/or
technical knowledge.
The project plan can be created using a simple planning tool such as the work breakdown
structure (WBS), an example of which is shown later in Tables 10-1 and 10-2. To use the WBS
approach, you first break down the project plan into its major tasks. The major project tasks are
placed into the WBS, along with the following attributes for each:
• Work to be accomplished (activities and deliverables)
• Individuals (or skill set) assigned to perform the task
• Start and end dates for the task (when known)
• Amount of effort required for completion in hours or work days
• Estimated capital expenses for the task
• Estimated noncapital expenses for the task
• Identification of dependencies between and among tasks
The WBS can be prepared with a simple desktop PC spreadsheet program. The use of more
complex project management software tools often leads to projectitis, wherein the project
manager spends more time documenting project tasks, collecting performance measurements,
recording project task information, and updating project completion forecasts than in
accomplishing meaningful project work.

2.Project Planning Considerations

As the project plan is developed, adding detail is not always straightforward and let us discuss
below the factors that project planners must consider as they decide what to include in the
work plan, how to break tasks into subtasks and action steps, and how to accomplish the
objectives of the project.
A. Financial Considerations: Regardless of an organization’s information security needs,
the amount of effort that can be expended depends on the available funds. A cost
benefit analysis (CBA), typically prepared in the analysis phase of the SecSDLC, must be
reviewed and verified prior to the development of the project plan. The CBA determines
the impact that a specific technology or approach can have on the organization’s
information assets and what it may cost.
B. Priority Considerations: In general, the most important information security controls in
the project plan should be scheduled first. Budgetary constraints may have an effect on
the assignment of a project’s priorities. As you learned, the implementation of controls
is guided by the prioritization of threats and the value of the threatened information
assets. A less-important control may be prioritized if it addresses a group of specific
vulnerabilities and improves the organization’s security posture to a greater degree
than other individual higher-priority controls.
C. Time and Scheduling Considerations Time and scheduling can affect a project plan at
dozens of points—consider the time between ordering and receiving a security control,
which may not be immediately available; the time it takes to install and configure the
control; the time it takes to train the users; and the time it takes to realize the return on
the investment in the control. For example, if a control must be in place before an
organization can implement its electronic commerce product, the selection process is
likely to be influenced by the speed of acquisition and implementation of the various
alternatives.
D. Staffing Considerations The need for qualified, trained, and available personnel also
constrains the project plan. An experienced staff is often needed to implement
technologies and to develop and implement policies and training programs. If no staff
members are trained to configure a new firewall, the appropriate personnel must be
trained or hired.
E. Procurement Considerations There are often constraints on the equipment and
services selection processes—for example, some organizations require the use of
particular service vendors or manufacturers and suppliers. These constraints may limit
which technologies can be acquired.
F. Organizational Feasibility Considerations Policies require time to develop such as new
technologies require time to be installed, configured and tested.
Employees need training on new policies and technology, and how new information
security program affects their working lives.
Changes should be transparent to system users unless the new technology is intended
to change procedures (ex: requiring additional authentication or verification).
G. Training and Indoctrination Considerations According to the size of the organization
and the business they operated, a single training program on new security procedures
or technologies should be made.
 Thus, an organization should conduct phased-in or pilot approach to implement the
training. If any changes made in the project policy, a brief explanation should be given
regarding the new policy changes and assign various tasks for their supervisors.
All the necessary documents should be distributed among employees so that they can
understand by reading and agree on set new policies.
3.Scope Considerations
Project scope describes the amount of time and effort-hours needed to deliver the planned
features and quality level of the project deliverables. The scope of any given project plan
should be carefully reviewed and kept as small as possible given the project’s objectives.
4.The Need for Project Management
Project management requires a unique set of skills and a thorough understanding of a broad
body of specialized knowledge. Realistically, most information security projects require a
trained project manager—a CISO or a skilled IT manager who is trained in project management
techniques. Even experienced project managers are advised to seek expert assistance when
engaging in a formal bidding process to select advanced or integrated technologies or
outsourced services.
A. Supervised Implementation: Two types of options are available for the firm to select.
• Champion is Selected: Although it is not optimal solution,some organizations
designate a champion from the general management community of interest to
supervise the implementation of an information security project plan. In this
case, groups of tasks are delegated to individuals or teams from the IT and
information security communities of interest.
• IT Manager (or) CIO is Selected: The detailed work is delegated to cross-
functional teams. The optimal solution is to designate a suitable person from the
information security community of interest. In the final analysis, each
organization must find the project leadership that best suits its specific needs
and the personalities and politics of the organizational culture.
B. Executing the Plan: Once a project is underway, it is managed using a process known as
a negative feedback loop or cybernetic loop, which ensures that progress is measured
periodically. In the negative feedback loop, measured results are compared to expected
results. When significant deviation occurs, corrective action is taken to bring the
deviating task back into compliance with the project plan, or else the projection is
revised in light of new information.
 C. Project Wrap-up: Project wrap-up is usually handled as a procedural task and assigned
to a mid-level IT or information security manager. These managers collect
documentation, finalize status reports, and deliver a final report and a presentation at a
wrap-up meeting. The goal of the wrap-up is to resolve any pending issues, critique the
overall project effort, and draw conclusions about how to improve the process for the
future.

2.Explain about Technical topics of implementation and Non-technical aspects

of implementation.
Technical Aspects of Implementation
Some aspects of the implementation process are technical in nature and deal with the
application of technology, while others deal instead with the human interface to technical
systems.
1.Conversion Strategies
As the components of the new security system are planned, provisions must be made for the
changeover from the previous method of performing a task to the new method. Just like IT
systems, information security projects require careful conversion planning. In both cases, four
basic approaches used for changing from an old system or process to a new one are:
• Direct changeover: Also known as going “cold turkey,” a direct changeover involves
stopping the old method and beginning the new. This could be as simple as having
employees follow the existing procedure one week and then use a new procedure the
next.
• Some cases are simple and some may be complex, such as requiring the entire company
to change procedures when the network team disables an old firewall and activates a
new one. The primary drawback to the direct changeover approach is that if the new
 system fails or needs modification, users may be without services while the system’s
bugs are worked out. Complete testing of the new system in advance of the direct
change over reduces the probability of such problems.
• Phased implementation: A phased implementation is the most common conversion
strategy and involves a measured rollout of the planned system, with a part of the
whole being brought out and disseminated across an organization before the next piece
is implemented. For example, if an organization seeks to update both its VPN and IDPS
systems, it may first introduce the new VPN solution that employees can use to connect
to the organization’s network while they’re traveling. Each week another department
will be allowed to use the new VPN, with this process continuing until all departments
are using the new approach. Once the new VPN has been phased into operation,
revisions to the organization’s IDPS can begin.
• Pilot implementation: In a pilot implementation, the entire security system is put in
place in a single office, department, or division, and issues that arise are dealt with
before expanding to the rest of the organization. The pilot implementation works well
when an isolated group can serve as the “guinea pig,” which prevents any problems
with the new system from dramatically interfering with the performance of the
organization as a whole.
• Pilot implementation: In a pilot implementation, the entire security system is put in
place in a single office, department, or division, and issues that arise are dealt with
before expanding to the rest of the organization. The pilot implementation works well
when an isolated group can serve as the “guinea pig,” which prevents any problems
with the new system from dramatically interfering with the performance of the
organization as a whole.
2.The Bull’s-Eye Model
A proven method for prioritizing a program of complex change is the bull’s-eye method and
goes by many different names and has been used by many organizations, requires that issues
be addressed from the general to the specific, and that the focus be on systematic solutions
instead of individual problems. This approach relies on a process of project plan evaluation in
four layers:
Policies: This is the outer, or first, ring in the bull’s-eye and the basic foundation of information
security program is the policy i.e., effective security and technology policy.This policy helps to
a firm inorder to perform the various operations in an effective manner.Through the policy only
a firm can set its objective to accomplish the specific tasks.
Networks: Implementing information security is the complex task of today’s firm because
networking infrastructure also get affect through the threats.They first meet the organization
network.The firm should design an effective DMZ inorder to secure organization’s networks.
Secondary efforts in this layer include providing the necessary authentication and authorization
when allowing users to connect over public networks to the organization’s systems. Secondary
efforts in this layer include providing the necessary authentication and authorization when
allowing users to connect over public networks to the organization’s systems.
Systems: Many organizations find that the problems of configuring and operating infor mation
systems in a secure fashion become more difficult as the number and complexity of these
systems grow. This layer includes computers used as servers, desktop compu ters, and systems
used for process control and manufacturing systems.
Applications: The layer that receives attention last is the one that deals with the application
software systems used by the organization to accomplish its work. This includes packaged
applications, such as office automation and e-mail programs, as well as high end enterprise
resource planning (ERP) packages than span the organization. Custom application software
developed by the organization for its own needs is also included.
The bull’s-eye model can also be used to evaluate the sequence of steps taken to integrate
parts of the information security blueprint into a project plan. As suggested by its bull’s-eye
shape, this model dictates the following:
• Until sound and useable IT and information security policies are developed,
communicated, and enforced, no additional resources should be spent on other
controls.
• Until effective network controls are designed and deployed, all resources should go
toward achieving this goal (unless resources are needed to revisit the policy needs of
the organization).
• After policies and network controls are implemented, implementation should focus on
the information, process, and manufacturing systems of the organization.
• Once there is assurance that policies are in place, networks are secure, and systems are
safe, attention should move to the assessment and remediation of the security of the
 organization’s applications. This is a complicated and vast area of concern for many
organizations.
3.To Outsource (or) Not
Not all organizations need their own information security department; some can outsource
their information security programs. Developing an effective program may be too costly or
time-consuming, making professional services a viable option. When outsourcing IT services,
security should be included in contracts. Smaller organizations often hire consultants for
specialized tasks like penetration testing and audits, while many businesses outsource network
monitoring to ensure adequate security and detect attacks.
4.Technology Governance and Change Control

Key factors influencing the success of an organization's IT and information security programs
include technology governance and change control processes.
• Technology Governance:
o Manages effects and costs of technology implementation.
o Guides updates and funding approvals for technical systems.
o Enhances communication regarding technical advances.
• Change Control Process:
o Improves communication about changes within the organization.
o Enhances coordination among groups during scheduled changes.
o Reduces unintended consequences from changes.
o Improves service quality by minimizing failures.
o Ensures compliance with governance and security policies.
Effective change control is vital for IT operations, especially in medium to large organizations,
ensuring confidentiality, integrity, and availability during system upgrades.

Nontechnical Aspects of Implementation

Some aspects of the information security implementation process are not technical in nature,
and deal instead with the human interface to technical systems.Now,the topic of creating a
culture of change management and the considerations for organizations facing change are
discussed.
1.The Culture of Change Management
In an organization when major projects are in process,any changes i.e., familiar (or) unfamiliar
,can cause employees to build a resistance to that change either consciously (or)
unconsciously.Any changes whether it is good (or) bad, employees will tend to prefer the old
way of doing things.
Even when employees embrace the change,the stress of making changes and adjusting to new
procedure can lead to increase the possibility of mistakes or may create vulnerability in
systems.
Through applying the basic tenets of change management,project manager can built the
resistance of changes,which may lead the ongoing changes in a better way.
 Resistance to change can be lowered by building resilience for change.One of the oldest models
of change is the Lewin Change model,which consists of:
1. Unfreezing
2. Moving
3. Refreezing
Unfreezing involves thawing hard-and-fast habits and established procedures. Moving is the
transition between the old way and the new. Refreezing is the integration of the new methods
into the organizational culture.
2.Considerations for Organizational Change
Steps can be taken to make an organization more amenable to change. These steps reduce
resistance to change at the beginning of the planning process and encourage members of the
organization to be more flexible as changes occur.
A.Reducing Resistance to Change from the Start :The success of an organization's IT and
information security programs relies on technology governance and change control processes.
Technology governance manages technology implementation and innovation, guiding updates
and communication across the organization. Change control processes in medium and large
organizations help:
• Improve communication about changes
• Enhance coordination between groups
• Reduce unintended consequences
• Improve service quality
• Ensure compliance with policies
Effective change control is crucial for IT operations, ensuring confidentiality, integrity, and
availability are maintained during upgrades. Resistance to change can hinder implementation,
so early interaction between stakeholders and project planners is vital. A three-step approach
involves:
1. Communication: Inform employees about new processes and gather feedback.
2. Education: Update employees on how changes will affect them and provide training for new
systems.
3. Involvement: Engage employees by including representatives in the development process to
address acceptance issues early on.
B.Developing a Culture that Supports Change: An ideal organization fosters resilience to
change. This means the organization understands that change is a necessary part of the culture,
and that embracing change is more productive than fighting it. To develop such a culture, the
organization must successfully accomplish many projects that require change. A resilient
culture can be either cultivated or undermined by management’s approach.
Strong management support for change, with a clear executive-level champion, enables the
organization to recognize the necessity for and strategic importance of the change. Weak
management support, with overly delegated responsibility and no champion, sentences the
project to almost-certain failure.
3.Explain about Security certification and accreditation.
At first glance, it may appear that only systems dealing with secret government data need
security certification or accreditation. However, many organizations now realize that, to comply
with new federal privacy regulations, their systems require formal verification and validation.
1.Certification versus Accreditation
Accreditation, issued by management, authorizes IT systems to process information and
ensures adequate quality, while certification involves evaluating the security controls of a
system to support this process. Organizations seek these to gain a competitive edge and assure
customers, with federal systems specifically requiring accreditation under OMB Circular A-130
and the Computer Security Act of 1987. It’s essential to recognize that accreditation and
certification are not permanent; they require renewals typically every three to five years to
maintain standards of security.
2.NIST SP 800-37, Rev.1: Guide for Applying the Risk Management Framework to Federal
Information Systems:A Security Life Cycle Approach
Two key documents outline the certification and accreditation processes for federal
information systems: SP 800-37, Rev. 1, and CNSS Instruction-1000:National Information
Assurance Certification and Accreditation Process(NIACAP)
Federal information is categorized into national security information (NSI), non-national
security information (non-NSI), and intelligence community (IC) information. NSIs are
processed on national security systems (NSSs), which are overseen by the Committee for
National Systems Security (CNSS), while non-NSSs fall under the National Institute of Standards
and Technology (NIST). NSSs are designed for use in various intelligence, cryptologic, and
military operations. Intelli gence community (IC) information is a separate category and is
handled according to guid ance from the office of the Director of National Intelligence (DNI). An
NSS is defined as any information system (including any telecommunications system) used or
operated by an agency or by a contractor of any agency, or other organization on behalf of an
agency, the function, operation, or use of which:
• Involves intelligence activities
• Involves cryptologic activities related to national security
• Involves command and control of military forces Involves equipment that is an integral
part of a weapon or weapon system
• Is subject to subparagraph (B), is critical to the direct fulfillment of military or
intelligence missions, or is protected at all times by procedures for information that
have been specifically authorized under criteria established by an executive order or an
act of Congress to be kept classified in the interest of national defense or foreign policy.
Subparagraph (B) states that this criterion “does not include a system that is to be used for
routine administration and business applications (including payroll, finance, logistics, and
personnel management applications.)” (Title 44 US Code Section 3542, Federal Information
Security Management Act of 2002)
In recent years, the U.S. government's Joint Task Force Transformation Initiative Working
Group of the U.S. government and NIST have revamped the certification and accreditation
(C&A) program for non-NSI systems into an integrated risk management framework (RMF). This
new RMF ensures reliable handling of confidential information during normal operations. NIST
SP 800-37 Revision 1 outlines the RMF process, while SP 800-39 provides a reference for
integrated enterprise-wide risk management. The NIST RMF employs a three-tiered approach
addressing risk at the organizational, mission, and information system levels.

Tier 1 addresses risk from an organizational perspective with the development of a

comprehensive governance structure and organization-wide risk management strategy …
Tier 2 addresses risk from a mission and business process perspective and is guided by the risk
decisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture …
Tier 3 addresses risk from an information system perspective and is guided by the risk decisions
at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of
needed safeguards and countermeasures (i.e., security controls) at the information system
level. Information security requirements are satisfied by the selection of appropriate
management, operational, and technical security controls from NIST Special Publication 800-53
The Risk Management Framework (RMF) [illustrated in Figure 10-4] provides a disciplined and
structured process that integrates information security and risk management activities into the
system development life cycle. The RMF operates primarily at Tier 3 in the risk management
hierarchy but can also have interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing
authorization decisions to the risk executive [function], dissemination of updated threat and
risk information to authorizing officials and information system owners). The RMF steps
include:
• Categorize the information system and the information processed, stored, and
transmitted by that system based on an impact analysis.
• Select an initial set of baseline security controls for the information system based on the
security categorization; tailoring and supplementing the security control baseline as
needed based on an organizational assessment of risk and local conditions.
• Implement the security controls and describe how the controls are employed within the
information system and its environment of operation.
• Assess the security controls using appropriate assessment procedures to determine the
extent to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements for
the system.
• Authorize information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the Nation
 resulting from the operation of the information system and the decision that this risk is
acceptable.
• Monitor the security controls in the information system on an ongoing basis including
assessing control effectiveness, documenting changes to the system or its environment
of operation, conducting security impact analyses of the associated changes, and
reporting the security state of the system to designated organizational officials.
With regard to using the RMF
The organization exhibits considerable flexibility in selecting appropriate families or specific
controls from NIST Special Publication 800-53 for various allocations. The communication of
security capabilities among entities involved in security control allocation is essential. This
includes ensuring that results from common control authorizations and continuous monitoring
data are accessible to those inheriting common controls, as well as effectively communicating
any changes to affected parties. Additionally, the process is illustrated in [Figure 10-5], which
demonstrates how the Risk Management Framework (RMF) informs senior leaders about the
security status of organizational information systems and their supporting missions and
business processes.

3.NSTISS Instruction-1000: National Information Assurance Certification and Accreditation

Process (NIACAP)
National security interest systems have specific security certification and accreditation (C&A)
standards, guided by OMB Circular A-130. The main document is the NSTISS Instruction 1000,
which outlines the National Information Assurance Certification and Accreditation Process
(NIACAP).
Purpose of NIACAP
1. National Security Telecommunications and Information System Security Instruction
(NSTISSI),National Information Assurance Certification and Accreditation
Process(NIACAP), sets minimum standards to certify and accredit security systems,
ensuring they meet information assurance(IA) and security requirements.
2. The NIACAP aims to ensure that information systems satisfy accreditation criteria and
maintain their security over time. Important roles in this process include the IS program
manager, designated approving authority (DAA), certifier agent(certifier), and user
representative, who address key issues like resolve critical
schedule,budget,functionality,performance issues and security.
3. The system security authorization agreement (SSAA) records these agreements and
serves as a baseline security document after C & A.
Roles of NIACAP
1. The minimum NIACAP roles include program manager, DAA, certifier, and user
representative. Additional roles may be added to ensure integrity and objectivity in C&A
decisions.
2. The program manager represents system interests throughout its life cycle
management (acquisition,life cycle schedules,funding responsibility,system
operation,system performance and maintenance), DAA evaluates mission, business
case, and budgetary needs, certifier provides technical expertise, and user
representative vested in operational interests. Additional roles may be added for
increased objectivity.
Scope of NIACAP
The National Security Telecommunications and Information Systems Security Policy (NSTISSP)
No.6 establishes the requirement for federal departments and agencies to implement a C&A
process for national security systems under their operational control.The National Security
Telecommunications and Information Sytems Security Committee (NSTISSC) issues and
maintains a document where the requirements of the NSTISSI apply to all U.S. Government
Executive Branch departments,agencies and their contractors and consultants.This NSTISSI
provides guidance on how to implement the NSTISSP No.6 policy.
SSAA Description
The SSAA is a formal agreement among the DAA(s),certifier,user representative, and program
manager ,it documents the conditions of the C&A for an IS throughout the entire NIACAP
process to guide actions,document decisions,specify IA requirements,document
certification,identify solutions and maintain operational systems security.The SSAA has the
following characteristics:
• Describes the operating environment and threat
• Describes the system security architecture
• Establishes the C&A boundary of the system to be accredited
• Documents the formal agreement among the DAA(s), certifier, program manager, and
user representative Documents all requirements necessary for accreditation
 • Minimizes documentation requirements by consolidating applicable information into
the SSAA (security policy, concept of operations, architecture description, test
procedures, etc)
• Documents the NIACAP plan
• Documents test plans and procedures, certification results, and residual risk
• Forms the baseline security configuration document
NIACAP Phases
The NIACAP is composed of four phases: Definition, Verification, Validation, And Post
Accreditation.
Phase 1, definition, determines the necessary security measures and effort level to achieve
certification and accreditation. The objective of Phase 1 is to agree on the security
requirements, C&A boundary, schedule, level of effort, and resources required.
Phase 2, verification, verifies the evolving or modified system’s compliance with the
information in the SSAA. The objective of Phase 2 is to ensure the fully integrated system is
ready for certification testing.
Phase 3, validation, validates compliance of the fully integrated system with the security policy
and requirements stated in the SSAA. The objective of Phase 3 is to produce the required
evidence to support the DAA in making an informed decision to grant approval to operate the
system (accreditation or interim approval to operate [IATO]).

Phase 4, post accreditation, starts after the system has been certified and accredited for
operations and includes those activities necessary for the continuing operation of the
accredited IS and manages the changing threats and small-scale changes a system faces
through its life cycle. The objective of Phase 4 is to ensure secure system management,
operation, and maintenance sustain an acceptable level of residual risk.
The CNSS provides training standards for federal information technology workers in
information security, including NSTISSI 4015. Qualified systems certifiers must be trained in
INFOSEC fundamentals and have field experience. They should have system administrator or
ISSO experience and familiarity with DAA knowledge. After training, they can become federal
agency systems certifiers.
ISO 27001/27002
ISO 27001 and 27002 are international standards used by entities outside the United States for
British certification of information security management systems (ISMS)
The first phase of the process involves your company preparing and getting ready for the
certification of your ISMS:developing and implementing your ISMS,using and integrating your
ISMS in the business processes,training your staff and establishing an on-going program of
ISMS maintenance.
The second phase involves employing one of the accredited certification bodies to carry out an
audit of your ISMS.
The certificate, valid for three years, requires re-certification after six to nine months,this is the
third phase of process which involves the certification body visiting your ISMS on a regular
basis to carry out a surveillance audit. This ensures compliance with the international standard.
4.Discuss briefly positioning and staffing security function.
Large organizations often position their information security department within the
information technology department, with the Chief Information Security Officer (CISO)
reporting to the Chief Information Officer (CIO). This alignment suggests shared goals, but
conflicts may arise due to differing objectives.
The CIO focuses on efficiency in information processing, while the CISO's role is to assess
security flaws. The tension between accessibility and security can lead some organizations to
separate the security function from IT. Despite this trend, many organizations still prefer the
traditional structure of the CISO reporting to the CIO. Various research reports suggest that
while the ideal is independence for the CISO, the close alignment of security and IT makes
complete separation challenging. Charles Cresson Wood's book outlines different ways to
position the information security function, emphasizing the need for a careful balance between
security and accessibility.
Ultimately, the challenge lies in finding the best structure to ensure effective protection of the
organization's IT assets while allowing for efficient information processing. According to Wood,
the information security function can be placed within any of the following organizational
functions:
• IT function, as a peer of other subfunctions such as networks, applications
development, and the help desk
• Physical security function, as a peer of physical security or protective services
• Administrative services function, as a peer of human resources or purchasing
• Insurance and risk management function
• Legal department
Once the organizational position of an information security function is established, the
challenge lies in creating a reporting structure that satisfies the various stakeholders' needs.
Often, the placement of the security unit in the reporting hierarchy is neglected, leading to
ineffective management and relocation within the organization. To optimize effectiveness,
organizations must strategically position the security function to ensure both policy
enforcement and cultural integration.
Staffing the Information Security Function
The selection of information security personnel is influenced by various factors, including
supply and demand dynamics. When demand for critical technical skills rises rapidly, there may
be a shortage of qualified professionals. As a result, individuals seek to enter the security
market by obtaining necessary skills and credentials. Organizations face higher costs when
there is limited supply until the demand is met. Hiring trends fluctuate between high demand
and low supply to low demand and high supply, impacting the job market.
The information security industry experienced high demand in 2002 but saw reduced growth
in 2003-2006. However, forecasts suggest increased job opportunities in IT and information
security.
The Bureau of Labour Statistics predicts substantial growth in information security and IT jobs,
with around 300,000 new positions expected from 2008 to 2018. A 2010 study found that
hiring for IT and information security roles is challenging, with information security being one
of the most difficult areas to recruit for.
1.Qualifications and Requirements
A number of factors influence an organization’s hiring decisions and these decisions are further
complicated by lack of understanding.Currently in many organizations,information security
teams lack establishes roles and responsibilities.Establishing better hiring practice in an
organization requires the following:
• The general management community of interest should learn more about the skills and
qualifications for both information security positions and those IT positions that impact
information security.
• Upper management should learn more about the budgetary needs of the information
security function and the positions within it. This will enable management to make
sound fiscal decisions for both the information security function and the IT functions
that carry out many of the information security initiatives.
• The IT and general management communities should grant appropriate levels of
influence and prestige to the information security function, and especially to the role of
chief information security officer.
Organizations typically seek technically skilled information security experts who understand
their operations. Specialization is valuable in many fields, but in information security, balance
between skills is crucial.
2.Entry into the Information Security Profession
College students, technical professionals, and former law enforcement and military personnel
are frequently the sources of information security professionals. Hiring managers prefer
professionals with proven IT skills and experience in another field. However, IT professionals
often focus on technology in information security. Organizations can foster professionalism by
matching qualified candidates to clearly defined roles and positions rather than hiring proven IT
professionals.
3.Information Security Positions
Standard job descriptions improve consistency and professionalism in the field of information
security. Charles Cresson Wood's book, Information Security Roles and Responsibilities Made
Easy, provides model job descriptions and identifies IT staff responsibilities in information
security roles.

4.Chief Information Security Officer (CISO or CSO)

The CISO is the top information security officer in an organization, reporting to the chief
information officer. They are business managers and technologists, proficient in technical,
planning, and policy areas, often defining or implementing the information security program.
5.Security Manager
Security managers oversee the daily operations of an information security program, achieving
objectives and resolving issues identified by technicians. They require understanding of
technology but not necessarily proficiency in configuration, operation, or fault resolution.
6.Security Technician
Security technicians configure firewalls, deploy IDPSs, implement security software, diagnose
problems, and coordinate with systems and network administrators. Entry-level positions
require technical skills, making it challenging for applicants without experience, which can only
be achieved through job placement.

5.Explain about Employment policies and practices and internal control

strategies.
An organization should incorporate information security into every employee's job description,
integrating it into employment policies and practices. This includes recruiting, hiring, firing, and
managing human resources. The CISO and information security manager should collaborate
with the human resources department to ensure security in hiring guidelines.
Employment Hiring Issues
1. Job Descriptions
The process of integrating information security perspectives into the hiring process
begins with reviewing and updating all job descriptions. To prevent people from
applying for positions based solely on access to sensitive information, the organization
should avoid revealing access privileges to prospective employees when it advertises
open positions.
2. Interviews
Some interviews with job candidates are conducted with members of the human resources
staff, and others include members of the department for which the new position is being
offered. An opening within the information security department creates a unique opportunity
for the security manager to educate HR on the various certifications and the specific experience
each certification requires, as well as the qualifications of a good candidate. In all other areas of
the organization, information security should, for the same reason mentioned during the
discussion of job descriptions, advise HR to limit the information provided to the candidate
about the responsibilities and access rights that the new hire would have. Onsite visits should
be avoided, as candidates may retain too much information about information security
functions to pose a threat.

3. Background Checks
A background check is crucial before an organization offers a candidate, it is examining
their past for potential misconduct. Government regulations dictate the scope of
investigations and the influence of uncovered information on hiring decisions, requiring
consultation with legal counsel.
4. Employment Contracts
 The employment contract is a crucial security instrument for a candidate, as it requires
them to agree to monitoring and nondisclosure agreements. If an employee refuses to
sign these contracts, security personnel may face difficulties. New employees can be
made to sign the policy acknowledgment requirement. Employment contracts may
contain restrictive clauses regarding intellectual property creation and ownership,
requiring employees to protect critical organizational assets. This is a necessary
component of the security process.
5. New Hire Orientation
New employees should receive an extensive information security briefing during their
orientation, covering major policies, procedures, and security requirements for their
new position. They should also be educated on authorized access levels and secure use
of information systems. This comprehensive training ensures a smooth transition into
their roles.
6. On-the-Job Security Training
The organization should integrate the security awareness education into a new hire’s
ongoing job orientation and make it a part of every employee’s on-the-job security
training. Keeping security at the forefront of employees’ minds helps minimize
employee mistakes and is, therefore, an important part of the information security
team’s mission. Formal external and informal internal seminars should also be used to
increase the security awareness level of employees, especially that of security
employees.
7. Evaluating Performance
To heighten information security awareness and minimize workplace behavior that
poses risks to information security, organizations should incorporate information
security components into employee performance evaluations. . In general, employees
pay close attention to job performance evaluations and are more likely to be motivated
to take information security seriously if their performance with respect to information
security tasks and responsibilities is documented in these evaluations.
8. Termination
Leaving the organization may or may not be a decision made by the employee. Organizations
may downsize, be bought out or taken over, shut down, run out of business, or simply be forced
to lay off, fire, or relocate their work force. In any event, when an employee leaves an
organization, there are a number of security-related issues that arise.Therefore, when an
employee prepares to leave an organization, the following tasks must be performed:
• Access to the organization’s systems must be disabled.
• Removable media must be returned.
• Hard drives must be secured.
• File cabinet locks must be changed.
• Office door locks must be changed.
• Keycard access must be revoked.
• Personal effects must be removed from the organization’s premises.
After the employee has delivered keys, keycards, and other business property, he or she should
be escorted from the premises.
Internal Control Strategies
Among several internal control strategies, separation of duties is a cornerstone in the
protection of information assets and in the prevention of financial loss.
1.Seperation of Duties
Separation of duties is used to reduce the chance of an individual violating information security
and breaching the confidentiality, integrity, or availability of information. The control stipulates
that the completion of a significant task that involves sensitive information should require at
least two people and the reason for this is that if only one person had the authorization to
access a particular set of information, there may be nothing the organization can do to prevent
this individual from copying the information and removing it from the premises. Separation of
duties is especially important, and thus commonly implemented, when the information in
question is financial.
2.Job Rotation
Job rotation is a control to prevent personnel from misusing information assets. It requires
every employee to perform the work of another, increasing the chance of detection and
preventing physical audits. This human RAID system helps organizations survive the loss of any
one employee. The principle of least privilege ensures that only those who need access to data
have access. Information security aims to maintain confidentiality, integrity, and availability of
information. However, organizations should be aware that everyone who can access data may
access it, which can have devastating consequences for the organization's information security.

6.What is Information security maintenance? Explain about Security

management models and the maintenance model.

To manage and operate the ongoing security program, the information security community
must adopt a management maintenance model. In general, management models are
frameworks that structure the tasks of managing a particular set of activities or business
functions.
1. NIST SP-800 Information Security Handbook:A Guide for Managers
NIST SP 800-100 Information Security Handbook: A Guide for Managers provides
managerial guidance for the establishment and implementation of an information
security program, in particular regarding the ongoing tasks expected of an information
security manager once the program is operational and day-to-day operations are
established.
For each of the thirteen areas of information security management presented in SP 800-
100 there are specific monitoring activities—tasks security managers should do on an
ongoing basis to monitor the function of the security program and take corrective
actions when issues arise. Not all issues are negative, as is the incident described in the
opening scenario. Some are normal changes in the business environment, while others
are changes in the technology environment—for example, the emergence of new
technologies that could improve organizational security or new security standards and
regulations to which the organization should or could subscribe.
2. Monitoring actions security areas from SP 800-100
The following sections describe the monitoring actions for each of the thirteen
information security areas. This information is adapted from SP 800-100.
A. Information Security Governance
An effective information security governance program requires constant review.
Agencies should monitor the status of their programs to ensure that:
• Ongoing information security activities are providing appropriate support to the
agency mission.
• Policies and procedures are current and aligned with evolving technologies, if
appropriate.
• Controls are accomplishing their intended purpose
Over time, policies and procedures may become inadequate because of changes in
agency mission and operational requirements, threats, or the environment;
deterioration in the degree of compliance; or changes in technology, infrastructure, or
business processes.
B. System Development Life Cycle
The system development life cycle (SDLC) is the overall process of developing,
implementing, and retiring information systems through a multistep process—initiation,
analysis, design, implementation, and maintenance to disposal. Each phase of the SDLC
includes a minimum set of information security–related activities required to effectively
incorporate security into a system.
Special Publication (SP) 800-64 Rev. 1, Security Considerations in the Information
System Development Life Cycle, presents a framework for incorporating security into all
phases of the SDLC to ensure the selection, acquisition, and use of appropriate and cost-
effective security controls.An effective security program requires continuous
understanding of program and system weaknesses. During the operation and
maintenance phase of a SDLC, organizations should monitor system performance,
ensure it aligns with user and security requirements, and incorporate necessary
modifications.

3. Awareness and Training

Implementing a program requires monitoring compliance and effectiveness. An
automated tracking system should capture key program activity data at an agency level
for enterprise-wide analysis. Compliance assessment maps the program's status to agency
standards, identifying gaps and requiring corrective action. This may involve formal
reminders, additional awareness, training, or a corrective plan.

4. Capital Planning and Investment Control

Departments must allocate funds for information security investments due to increased
competition for limited resources, facilitated by a formal capital planning and
investment control (CPIC) process.
The Government Accountability Office (GAO) offers a Select-Control-Evaluate
investment life cycle model to help departments allocate funds for high-priority
information security investments. This helps organizations control the expenditure of
agency funds and ensures disciplined and thorough investment management practices,
including security, throughout the investment life cycle.
5. Interconnecting Systems
 System interconnection refers to the direct connection of two or more information
systems for sharing data and resources. Organizations choose interconnections for
various reasons, such as data exchange, joint project collaboration, or secure data
storage. However, improper interconnection design can expose organizations to risk, as
security failures could compromise the systems and data. Proper management of
interconnected systems leads to increased efficiency, centralized data access, and
functionality. Security controls for each system should be evaluated and implemented
appropriately for the interconnection.
NIST SP 800-47 details a four-phase life cycle management approach for interconnecting
information systems that emphasizes proper attention to information security:
Phase 1: planning the interconnection
Phase 2: establishing the interconnection
Phase 3: maintaining the interconnection
Phase 4: disconnecting the interconnection
6. Peformance Measures
A performance measures program provides numerous organizational and financial
benefits to organizations. Organizations can develop information security metrics that
measure the effectiveness of their security program, and provide data to be analyzed
and used by program managers and system owners to isolate problems, justify
investment requests, and target funds to the areas in need of improvement. By using
metrics to target security investments, agencies can get the best value from available
resources.
The typical information performance management program consists of four
interdependent components: senior management support, security policies and
procedures, quantifiable performance metrics, and analyses. Metrics are tools that
support decision making. Like experience, external mandates, and strategies, metrics
are one element of a manager’s toolkit for making and substantiating decisions.
7. Security Planning
Planning is a crucial aspect of security management, involving strategic, tactical, and
operational plans that align with organizational and IT goals. SP 800-100 addresses
planning shortfalls by focusing on controls available. The Federal Information
Processing Standard (FIPS) 200 outlines minimum security requirements for federal
information and information systems in seventeen areas. Private organizations can
benefit from these requirements, and NIST SP 800-18 Rev. 1 provides a systems security
plan template in Appendix A.
8. Information Technology Contingency Planning
Contingency planning consists of a process for recovery and documentation of
procedures for conducting recovery. Special Publication SP 800-34, Contingency
Planning for Information Technology Systems, details a seven-step methodology for
developing an IT contingency process and plan. Planning, implementing, and testing the
contingency strategy are addressed by six of the seven steps; documenting the plan and
establishing procedures and personnel organization to implement the strategy is the
final step. SP 800-34 also includes technical considerations for developing recovery
strategies.
9. Risk Management
 Risk management is an ongoing effort as well. The tasks of performing risk
identification, analysis, and management are a cyclic and fundamental part of
continuous improvement in information security. The principal goal of an organization’s
risk management process is to protect the organization and its ability to perform its
mission, not just its information assets. The risk management process is an essential
management function of the organization that is tightly woven into the SDLC, as
depicted.
Because risk cannot be eliminated entirely, the risk management process allows
information security program managers to balance the operational and economic costs
of protective measures and achieve gains in mission capability. By employing practices
and procedures designed to foster informed decision making, agencies help protect
their information systems and the data that support their own mission.
10. Certification,Accreditation and Security Assessments
The certification and accreditation process for federal systems is changing for non-
national security information systems. Organizations need to review their systems for
compliance with regulations and seek recognition from certifications like ISO 27000
series.
The security certification and accreditation process is designed to ensure that an
information system will operate with the appropriate management review, that there is
ongoing monitoring of security controls, and that reaccreditation occurs periodically.
Continuous monitoring is essential for any security program, supporting annual FISMA
requirements for assessing security controls in information systems. An effective continuous
monitoring program can help maintain security in these systems.
11. Security Services and Products Acquisition
Information security services and products are crucial for organizations' information
security programs. They support the organization's infrastructure design, development,
and maintenance, protecting mission-critical information. Federal agencies often use
these products, and risk management principles are applied to identify and mitigate
associated risks.
Organizations should conduct a cost-benefit analysis when purchasing information security
products, considering risk mitigation costs. This should include a life cycle cost estimate for the
current status quo and each identified alternative, while highlighting the benefits. The NIST SP
800-36 guide provides a list of questions to ask when selecting security products.
12. Incident Response
Information system and network attacks have become more sophisticated and severe in
recent years. To prevent these attacks, organizations must identify and assess risks to
their systems and information. Trending analysis of past incidents and effective ways to
deal with them are crucial components of risk management. A well-defined incident
response capability helps detect incidents, minimize loss and destruction, identify
weaknesses, and restore IT operations quickly.
NIST SP 800-61, Computer Security Incident Handling Guide, details a four-phase
incident and formed the basis for the material. This process is another critical ongoing
effort as security managers struggle to prepare for and protect against, react to and
recover from incidents.
13. Configuration (or Change) Management
 Configuration management (CM) is a process that manages the impact of changes or
differences in configurations on an information system or network. It involves
identifying, inventorying, and documenting the current configurations of hardware,
software, and networking. Change management, on the other hand, focuses on
modifications to these configurations.
Here, we combine the two concepts to address the current and proposed states of the
information systems and these concepts are essential for monitoring and managing
changes in technical components of the system.

Security Maintenance Model

The 27000 series NIST SP 800-100 Information Security Handbook provides a management
model for managing and operating systems, while a maintenance model focuses on system
maintenance. Figure 12-10 presents a recommended approach for dealing with change caused
by information security maintenance, serving as a framework for the discussion that follows
The recommended maintenance model is based on five subject areas or domains:
• External monitoring
• Internal monitoring
• Planning and risk assessment
• Vulnerability assessment and remediation
• Readiness and review

1. Monitoring the External Environment

During the Cold War, the western alliance, led by the United States and Britain,
confronted the Soviet Union and its allies. A key component of the Western alliance’s
defence was maintaining the ability to detect early warnings of attacks. The image of an
ever-vigilant team of radar operators scanning the sky for incoming attacks using a
global network of sensors could also represent the current world of information
security, where teams of information security personnel must guard their respective
organizations against dangerous and debilitating threats. While the stakes for modern-
day organizations are not equivalent (i.e., they do not typically involve the possibility of
nuclear Armageddon), they are nevertheless very high—especially as organizations
become more and more information dependent.
 The objective of the external monitoring domain within the maintenance model is to
provide the early awareness of new and emerging threats, threat agents, vulnerabilities,
and attacks that the organization needs in order to mount an effective and timely
defence.
External monitoring entails collecting intelligence from various data sources and then
giving that intelligence context and meaning for use by decision makers within the
organization.
2. Monitoring the Internal Environment
The primary goal of the internal monitoring domain is to maintain an informed
awareness of the state of all of the organization’s networks, information systems, and
information security defenses. This awareness must be communicated and
documented, especially for components that are exposed to the external network.
Internal monitoring is accomplished by:
• Building and maintaining an inventory of network devices and channels, IT
infrastructure and applications, and information security infrastructure
elements.
• Leading the IT governance process within the organization to integrate the
inevitable changes found in all network, IT, and information security programs.
• Monitoring IT activity in real-time using IDPSs to detect and initiate responses to
specific actions or trends of events that introduce risk to the organization’s
information assets.
• Monitoring the internal state of the organization’s networks and systems. This
recursive review of the network and system devices that are online at any given
moment and of any changes to the services offered on the network is needed to
maintain awareness of new and emerging threats. This can be accomplished
through automated difference-detection methods that identify variances
introduced to the network or system hardware and software.
The value of internal monitoring is high when the resulting knowledge of the network
and systems configuration is fed into the vulnerability assessment and remediation
maintenance domain. But this knowledge becomes invaluable when incident response
processes are fully integrated with the monitoring processes.
3. Planning and Risk Assessment
The primary objective of the planning and risk assessment domain is to keep a lookout
over the entire information security program, in part by identifying and planning
ongoing information security activities that further reduce risk. In fact, the bulk of the
security management maintenance model could fit in this domain. Also, the risk
assessment group identifies and documents risks introduced by both IT projects and
information security projects. It also identifies and documents risks that may be latent
in the present environment. The primary objectives of this domain are:
• Establishing a formal information security program review process that
complements and supports both the IT planning process and strategic planning
processes.
• Instituting formal project identification, selection, planning, and management
processes for information security follow-up activities that augment the current
information security program
 • Coordinating with IT project teams to introduce risk assessment and review for
all IT projects, so that risks introduced by the launching of IT projects are
identified, documented, and factored into decisions about the projects
• Integrating a mindset of risk assessment across the organization to encourage
other departments to perform risk assessment activities when any technology
system is implemented or modified.
Note that there are two pivotal processes: the planning needed for the information security
programs and evaluation of current risks using operational risk assessment.

4. Vulnerability Assessment and Remediation

The primary goal of the vulnerability assessment and remediation domain is to identify
specific, documented vulnerabilities and remediate them in a timely fashion. This is
accomplished by:
• Using documented vulnerability assessment procedures to collect intelligence about
networks (internal and public-facing), platforms (servers, desktops, and process
control), dial-in modems, and wireless network systems safely.
• Documenting background information and providing tested remediation procedures
for the reported vulnerabilities.
• Tracking vulnerabilities from when they are identified until they are remediated or
the risk of loss has been accepted by an authorized member of management.
• Communicating vulnerability information including an estimate of the risk and
detailed remediation plans to the owners of the vulnerable systems.
• Reporting on the status of vulnerabilities that have been identified.
• Ensuring that the proper level of management is involved in the decision to accept
the risk of loss associated with unrepaired vulnerabilities.
Figure 12-15 illustrates the process flow of the vulnerability assessment and remediation
domain
Using the inventory of environment characteristics stored in the risk, threat, and attack
database, the vulnerability assessment processes identify and document vulnerabilities. These
vulnerabilities are stored, tracked, and reported within the vulnerability database until they are
remediated.
The process of identifying and documenting specific and provable flaws in the organization’s
information asset environment is called vulnerability assessment (VA). As shown in Figure 12-
15, there are five common vulnerability assessment processes: internet VA, intranet VA,
platform security validation, wireless VA, and modem VA. Organizations may use a monthly or
rotating approach to vulnerability assessments, depending on the resources available and the
quality of the resources used, or perform an Internet vulnerability assessment weekly.
5. Readiness and Review

The primary goal of the readiness and review domain is to keep the information security
program functioning as designed and to keep it continuously improving over time. This is
accomplished by the following:
1. Policy review: Policy needs to be reviewed and refreshed from time to time to ensure
that it’s sound—in other words, that it provides a current foundation for the
information security program.
2. Program review: Major planning components should be reviewed on a periodic basis to
ensure that they are current, accurate, and appropriate.
3. Rehearsals: When possible, major plan elements should be rehearsed.
The relationships among the sectors of the readiness and review domain are shown in
Figure 12-16. As the diagram indicates, policy review is the primary initiator of the
readiness and review domain. As policy is revised or current policy is confirmed, the various
planning elements are reviewed for compliance, the information security program is
reviewed, and rehearsals are held to make sure all participants are capable of responding as
needed.
1.Policy Review and Planning Review: Policy needs to be reviewed periodically.
2.Program Review: The CISO should conduct a thorough annual review of the organization's
information security program to ensure it meets current threats. The review is based on
maintenance activities and the CISO's role in the maintenance process. If the current program
isn't sufficient, the CISO must consider incremental improvements or restructure the
organization's information security function. No exact timetable for review is proposed.
3.Rehearsals and War Games: Where possible, major planning elements should be rehearsed.
Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing
security personnel the opportunity to improve the security plan before it is needed. In addition,
rehearsals make people more effective when an actual event occurs. Rehearsals that closely
match reality are called war games. A war game or simulation puts a subset of plans in place to
create a realistic test environment. This adds to the value of the rehearsal and can enhance
training.

7.Discuss briefly about Digital forensics in Information security maintenance.

Digital forensics is based on the field of traditional forensics. Forensics is the coherent
application of methodical investigatory techniques to present evidence of crimes in a court or
court-like setting. Made popular by scientific detective shows focusing on crime scene
investigations, forensics involves the use of science to investigate events. Forensics allows
investigators to determine what happened by examining the results of an event.
Digital forensics involves the preservation, identification, extraction, documentation, and
interpretation of computer media for evidentiary and root cause analysis. It follows clear
methodologies but is as much art as science.
the natural curiosity and personal skill of the investigator play a key role in discovering
potential evidentiary material. Evidentiary material (EM), also known as an item of potential
evidentiary value, which could support a legal or policy-based case against a suspect.
Purpose of Digital Forensics
Digital forensics investigators use a variety of tools to support their work, the tools and
methods used by attackers can be equally sophisticated. Digital forensics can be used for two
key purposes:
1. To investigate allegations of digital malfeasance. A crime against or using digital media,
computer technology, or related components (computer as source or object of crime) is
referred to as digital malfeasance. To investigate digital malfeasance, you must use digital
forensics to gather, analyze, and report the findings of an investigation. This is the primary
mission of law enforcement in investigating crimes involving computer technologies or online
information.
2. To perform root cause analysis. If an incident occurs and the organization suspects an attack
was successful, digital forensics can be used to examine the path and methodology used to gain
unauthorized access, as well as to determine how pervasive and successful the attack was. This
is used primarily by IR teams to examine their equipment after an incident.
Approaches for Digital Forensics
The organization must choose one of two approaches when employing digital forensics:
1. Protect and forget. This approach, also known as patch and proceed, focuses on the defense
of the data and the systems that house, use, and transmit it. An investigation that takes this
approach focuses on the detection and analysis of events to determine how they happened,
and to prevent reoccurrence. Once the current event is over, who caused it or why is almost
immaterial.
2. Apprehend and prosecute. This approach, also known as pursue and prosecute, focuses on
the identification and apprehension of responsible individuals, with additional attention on the
collection and preservation of potential EM that might support administrative or criminal
prosecution. This approach requires much more attention to detail to prevent contamination of
evidence that might hinder prosecution.
An organization might find it impossible to retain enough data to successfully handle even
administrative penalties, but should certainly adopt the latter approach if it wishes to pursue
formal administrative penalties, especially if the employee is likely to challenge these penalties.
The Digital Forensic Team
Organizations often cannot sustain a permanent digital forensics team, so it may be better to
collect data and outsource the analysis to a regional expert. This allows the organization to
maintain distance from the case and have additional expertise in case of court. However, there
should be information security group members trained to understand and manage the
forensics process. This expertise can be obtained through regional or national information
security conferences or dedicated digital forensics training. Organizations should choose
training programs cautiously, as many focus on the analysis process rather than the process
management.
Affidavits and Search Warrants
Investigations usually begin with an allegation of an incident, such as sexual harassment or
discomfort in the workplace. The organization's forensics team must request permission to
examine digital media for potential EM. In law enforcement, an affidavit is created, stating that
certain facts warrant examination of specific items at a specific place. When an approving
authority signs the affidavit or creates a synopsis form, it becomes a search warrant, allowing
the investigation to search for EM at the specified location or seize items for examination.
Formal permission is obtained before an investigation occurs.
Digital Forensic Methodology
In digital forensics, all investigations follow the same basic methodology:
1. Identify relevant items of evidentiary value (EM)
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step verifiably authentic and is
unchanged from the time it was seized
4. Analyze the data without risking modification or unauthorized access
5. Report the findings to the proper authority
Digital Forensic Process
In simple words, digital forensics is the process of identifying, preserving,analysis, and
presenting digital evidences. The first computer crimes were recognized in the 1978
Florida computer act and after this, the field of digital forensic grew pretty fast in the
late 1980-90's. It includes the area of analysis like storage media, hardware, operating
system, network and applications. It consists of five steps at high level:

1. Identification of evidence: It includes of identifying evidences related to the digital

crime in storage media, hardware, operating system,network and/or applications and is
the most important and basic step.
2. Collection: It includes preserving the digital evidences identified in the first step so that
they don’t degrade to vanish with time. Preserving the digital evidences is very
important and crucial.
3. Analysis: It includes analysing the collected digital evidences of the committed
computer to trace the criminal and possible path used to breach into the system.
4. Documentation: It includes the proper documentation of the whole digital
investigation, digital evidences, loop holes of the attacked system etc. so that the case
can be studied and analysed in future also and can be presented in the court in a proper
format.
5. Presentation: It includes the presentation of all the digital evidences and
documentation in the court in order to prove the digital crime committed and identify
the criminal.

Branches of Digital Forensics

The branches of digital forensic are as follows:

1. Media forensics: It is the branch of digital forensic which includes

identification,collection,analysis and presentation of audio, video and image evidences
during the investigation process.
 2. Cyber forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
cybercrime.
3. Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime committed through a mobile device like mobile phones, GPS device, tablet,
laptop.
4. Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime related to software’s only.

Evidentiary Procedures

In Information security, most operations focus on policies - those documents which provide
managerial guidance for ongoing implementation in operations. However, the focus is on
procedures in digital forensics. When investigating digital malfeasance or performing root
cause analysis, keep in mind at the results and methods of the investigation may end up in
criminal or civil court.