Information systems security officer
Sponsored Links
This presentation is the property of its rightful owner.
1 / 19

Information Systems Security Officer PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

Information Systems Security Officer. CS 996: Information Security Management Pavel Margolin 4/20/05. Overview. Who is an ISSO? Duties and Responsibilities Planning Establishing the CIAPP InfoSec Functions InfoSec in the Government. Who is an ISSO?.

Download Presentation

Information Systems Security Officer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information Systems Security Officer

CS 996: Information Security Management

Pavel Margolin

4/20/05


Overview

  • Who is an ISSO?

  • Duties and Responsibilities

  • Planning

  • Establishing the CIAPP

  • InfoSec Functions

  • InfoSec in the Government


Who is an ISSO?

  • ISSO – Information Systems Security Officer

  • Reports to the Chief Information Officer (CIO), who reports to the CEO.

  • Leader of the Information Security (InfoSec) organization.

  • Qualifications

    • Manage and organize people

    • Communicate to upper management without much technical details

    • Have enough technical expertise to understand systems and make decisions


Duties and Responsibilities

  • Establishing and enforcing Corporate Information Assets Protection Program (CIAPP)

  • Managing people

  • Managing the business of CIAPP

  • Managing CIAPP processes

  • Hiring InfoSec staff

  • Report to upper management


Planning

  • Strategic Plan (ISSSP)

    • Compatible with Strategic Business Plan

    • Long-term direction, goals, and objectives

  • Tactical Plan (ITP)

    • Short-range plan

    • Supports CIAPP and InfoSec functional goals and objectives

  • Annual Plan (IAP)

    • Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP

    • Plan of projects for the year


Establishing the CIAPP

  • Reasons for the CIAPP

  • Corporate vision, mission, and quality statements

  • Corporate strategic, tactical, and annual business plans

  • InfoSec vision, mission and quality statements

  • InfoSec strategic, tactical and annual business plans

  • Information and systems legal, ethical, and best business practices

  • Overall information assets protection plans, policies, and procedures

  • Current CIAPP-related and InfoSec policies

  • Current CIAPP-related and InfoSec procedures

  • Other topics as deemed appropriate by the ISSO


Laws

Regulations

Business Practices

Ethics

  • Risk Assessments

  • Vulnerability assessments

  • Threat Assessments

  • Limited Risk assessments

  • Risk analyses

  • Best InfoSec Practices

CIAPP Process

Costs

Profits

Sales

Public Relations

Stockholders’ value

Business Decisions

InfoSec Policies

InfoSec Procedures

InfoSec Processes

CIAPP


Example CIAPP Requirements and Policy Directive

  • Introduction Section

  • Purpose Section

  • Scope Section

  • Responsibilities

  • Requirements Section

    • Identifying the value of the information

    • Access to information systems

    • Access to specific applications and files

    • Audit trails and their review

    • Reporting and response in the event of a violation

    • Minimum protection requirements for the hardware, firmware and software

    • Requirements for InfoSec procedures at other departments and lower levels of the corporation

  • Physical Security

    • Optional if Physical Security is handled by the Director of Security


InfoSec Functions

  • Processes

  • Valuing Information

  • Awareness

  • Access Control

  • Evaluation of all hardware, firmware and software

  • Risk Management

  • Security Tests and evaluations program

  • Noncompliance Inquiries

  • Contingency and emergency planning and disaster recovery program (CEP-DR)


Function Drivers

  • Requirements-Drivers

  • Customers

  • Contracts

  • InfoSec Custodians

  • Users

  • Management

  • Audits

  • Tests & Evaluations

  • Other employees

  • Laws

  • Regulations

  • Non-compliance Inquiries

  • Investigations

  • Trade articles

  • Technical Bulletings

  • Business Plans

  • ISSO’s plans

  • Best business practices

  • Best InfoSec practices

  • ISSO Organizational Functions

  • Identification of InfoSec requirements

  • Access control

  • Non-compliance Inquiries (NCI)

  • Disaster Recovery/Emergency Planning

  • Tests and Evaluations

  • Intranet Security

  • Internet and Web Site Security

  • Security Applications Protection

  • Security Software Development

  • Software Interface InfoSec Evaluations

  • Access Control Violations Analysis

  • Systems’ Approvals

  • CIAPP Awareness and Training

  • Contractual Compliance Inspections

  • InfoSec Risk Management

CIAPP

ISSO’s CIAPP organizational requirements

Responsibilities Charter


InfoSec in the Government

  • National Security Classified Information

    • Confidential – loss of this information can cause damage to national security

    • Secret – loss of this information can cause serious damage to national security

    • Top Secret – loss of this information can cause grave damage to national security

    • Black/Compartmented – Granted on a need to know (NTK) basis. Ex: Sensitive Compartmented Information (SCI).

  • Unclassified

    • For Official Use Only

    • Unclassified but Sensitive Information

    • Unclassified


InfoSec Requirements in the Government

  • InfoSec policy – laws, rules, practices that regulate how organizations handle national security data.

  • Accountability – assigning responsibility and accountability to individuals or groups who deal with national security information

  • Assurance – guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy

  • Documentation – records how a system is structured, its functions and how the system was designed


InfoSec Objectives in the Government

  • Protect and defend all information used by an AIS (automated information system)

  • Prevent unauthorized access, modification, damage, destruction, or DoS

  • Provide assurances of:

    • Compliance with government and contractual obligations and agreements

    • Confidentiality of all classified information

    • Integrity of information and related processes

    • Availability of information

    • Usage by authorized personnel only of the information and AIS

  • Identification and elimination of fraud, waste, and abuse


ISSO at Gov’t Agencies

  • Maintain a plan site security improvement

  • Ensure IS systems are operated, used, maintained and disposed of properly

  • Ensure IS systems are certified and accredited

  • Ensure users and personnel have required security clearances, authorization, NTK, and are familiar with internal security practices

  • Enforce security policies and safeguards on personnel having access to an IS

  • Ensure audit trails are reviewed periodically

  • Initiate protective and corrective measures

  • Report security incidents in accordance with agency specific policy

  • Report the security status of the IS

  • Evaluate know vulnerabilities to determine if additional security is needed


Levels of Performance

  • Entry Level

    • Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance.

  • Intermediate Level

    • For a new system architecture, investigate and document system security technology, policies and training requirements to assure system operation at a specified level of assurance

  • Advanced Level

    • For an accreditation action, analyze and evaluate system security technology, policy and training requirements in support of upper management. The analysis will include a description of the management/technology team required to successfully complete the accreditation process


Duties of Gov’t ISSO

  • Develop Certification and Accreditation Posture

    • Plan for Certification and Accreditation

    • Create CIA Policy

    • Control Systems Policy

    • Culture and Ethics

    • Incidence Response

  • Implement Site Security Policy

    • Provide CIA

    • Ensure Facility is approved

    • Manage Operations of Information Systems

    • Regulate General Principles

      • Access Control, Training, Awareness, Legal aspects, CC, etc

    • Security Management

    • Access Controls

      • Human Access

      • Key Management

    • Incident Response


Duties (continued)

  • Enforce and verify system security policy

    • CIA and Accountability

    • Security Management

    • Access Controls

    • Automated Security Tools

    • Handling Media

    • Incident Response

  • Report on site security Status

    • Security Continuity Reporting

    • Report Security Incidents

    • Law

    • Report Security Status of IS as required by upper management

    • Report to Inspector General (IG)


Duties (continued)

  • Support Certification and Accreditation

    • Certification Functions

    • Accreditation Functions

    • Respond to upper management requests


References

  • Kovacich, Dr. Gerald L., “The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program”

  • “Information Assurance Training Standard for Information Systems Security Officers” http://www.cnss.gov/instructions.html


  • Login