Stuart shows a small picture of information security to Grin

Stuart and Grin are childhood friends and met after a long time, both talking about their professional life. 
 
Stuart : In which company you are working and on which domain ?
 
Grin : Working in ABC company and currently working as an Java developer. What about you ?
 
Stuart : I am working in XYZ company in Application/Network Security.
 
Grin : Security !!! What exactly is that and which things are covered into that ?
 
Now, Stuart answers...
 
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take
 
Grin : Can you give me a short summary about which points you guys are taking into account?
 
Stuart : Yes sure, to safe guard an organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity security professionals perform different activities from which some points are:
  • Reviewing Application Architecture and identify application security controls to include with respect to requirements
  • Threat Profiling for different functionality requirements
  • Static Application Security Testing(SAST) on Application code
  • Dynamic Application Security Testing(DAST) on the Application
  • Manual risk assessment of the application with respect to different controls like Authentication, Authorization, Encryption, Error Management, Input validations, Data protection, Session Management, User Management, Password Management etc.
  • Vulnerability Management for the application
  • Have to check whether your application environment is comply with different compliance standards
  • Scheduled security health checks of application
  • Reviewing Network Security Architecture Diagram in which you have to check about what all devices like routers, firewalls, IDS, IPS, Ethernet, Subnets etc. can keep safe and secure.
  • All perimeter interfaces like firewall, anti virus are in place properly
  • Configure security rules in IDS except pre-defined rules. ex. check for specific trojans, peer to peer connections etc.
  • Analyzing attacks based on inputs from surrounding security systems like SIEM, WAF, IDS.
  • Prepare and follow your patching calendar
  • Review Logs periodically
  • Performing VA on need or planned schedule
  • Design and develop Disaster recovery plan
  • Test DRP periodically
  • Implement DLP solution to ensure your data protection. 
  • Design backup policy including backup storage, restoration
  • Educating new/current employee of organization/account on Information Security Domain.

Grin : stop stop stop...phewwww !!!! I am already outstruck after hearing such great  stuff with which I am really unaware.

Stuart : It's like you had seen a picture of iceberg from a distance for InfoSec domain.

Grin : Will surely want to dive into the ocean of InfoSec domain to know more. Thanks to get me introduced with this :)

Authored by Mehul Shah

Rate this article: 
Average: 1 (3 votes)
Article category: