information systems security officer
Skip this Video
Download Presentation
Information Systems Security Officer

Loading in 2 Seconds...

play fullscreen
1 / 19

Information Systems Security Officer - PowerPoint PPT Presentation

  • Uploaded on

Information Systems Security Officer. CS 996: Information Security Management Pavel Margolin 4/20/05. Overview. Who is an ISSO? Duties and Responsibilities Planning Establishing the CIAPP InfoSec Functions InfoSec in the Government. Who is an ISSO?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Information Systems Security Officer' - mason

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information systems security officer

Information Systems Security Officer

CS 996: Information Security Management

Pavel Margolin


  • Who is an ISSO?
  • Duties and Responsibilities
  • Planning
  • Establishing the CIAPP
  • InfoSec Functions
  • InfoSec in the Government
who is an isso
Who is an ISSO?
  • ISSO – Information Systems Security Officer
  • Reports to the Chief Information Officer (CIO), who reports to the CEO.
  • Leader of the Information Security (InfoSec) organization.
  • Qualifications
    • Manage and organize people
    • Communicate to upper management without much technical details
    • Have enough technical expertise to understand systems and make decisions
duties and responsibilities
Duties and Responsibilities
  • Establishing and enforcing Corporate Information Assets Protection Program (CIAPP)
  • Managing people
  • Managing the business of CIAPP
  • Managing CIAPP processes
  • Hiring InfoSec staff
  • Report to upper management
  • Strategic Plan (ISSSP)
    • Compatible with Strategic Business Plan
    • Long-term direction, goals, and objectives
  • Tactical Plan (ITP)
    • Short-range plan
    • Supports CIAPP and InfoSec functional goals and objectives
  • Annual Plan (IAP)
    • Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP
    • Plan of projects for the year
establishing the ciapp
Establishing the CIAPP
  • Reasons for the CIAPP
  • Corporate vision, mission, and quality statements
  • Corporate strategic, tactical, and annual business plans
  • InfoSec vision, mission and quality statements
  • InfoSec strategic, tactical and annual business plans
  • Information and systems legal, ethical, and best business practices
  • Overall information assets protection plans, policies, and procedures
  • Current CIAPP-related and InfoSec policies
  • Current CIAPP-related and InfoSec procedures
  • Other topics as deemed appropriate by the ISSO
ciapp process



Business Practices


  • Risk Assessments
  • Vulnerability assessments
  • Threat Assessments
  • Limited Risk assessments
  • Risk analyses
  • Best InfoSec Practices
CIAPP Process




Public Relations

Stockholders’ value

Business Decisions

InfoSec Policies

InfoSec Procedures

InfoSec Processes


example ciapp requirements and policy directive
Example CIAPP Requirements and Policy Directive
  • Introduction Section
  • Purpose Section
  • Scope Section
  • Responsibilities
  • Requirements Section
    • Identifying the value of the information
    • Access to information systems
    • Access to specific applications and files
    • Audit trails and their review
    • Reporting and response in the event of a violation
    • Minimum protection requirements for the hardware, firmware and software
    • Requirements for InfoSec procedures at other departments and lower levels of the corporation
  • Physical Security
    • Optional if Physical Security is handled by the Director of Security
infosec functions
InfoSec Functions
  • Processes
  • Valuing Information
  • Awareness
  • Access Control
  • Evaluation of all hardware, firmware and software
  • Risk Management
  • Security Tests and evaluations program
  • Noncompliance Inquiries
  • Contingency and emergency planning and disaster recovery program (CEP-DR)
function drivers
Function Drivers
  • Requirements-Drivers
  • Customers
  • Contracts
  • InfoSec Custodians
  • Users
  • Management
  • Audits
  • Tests & Evaluations
  • Other employees
  • Laws
  • Regulations
  • Non-compliance Inquiries
  • Investigations
  • Trade articles
  • Technical Bulletings
  • Business Plans
  • ISSO’s plans
  • Best business practices
  • Best InfoSec practices
  • ISSO Organizational Functions
  • Identification of InfoSec requirements
  • Access control
  • Non-compliance Inquiries (NCI)
  • Disaster Recovery/Emergency Planning
  • Tests and Evaluations
  • Intranet Security
  • Internet and Web Site Security
  • Security Applications Protection
  • Security Software Development
  • Software Interface InfoSec Evaluations
  • Access Control Violations Analysis
  • Systems’ Approvals
  • CIAPP Awareness and Training
  • Contractual Compliance Inspections
  • InfoSec Risk Management


ISSO’s CIAPP organizational requirements

Responsibilities Charter

infosec in the government
InfoSec in the Government
  • National Security Classified Information
    • Confidential – loss of this information can cause damage to national security
    • Secret – loss of this information can cause serious damage to national security
    • Top Secret – loss of this information can cause grave damage to national security
    • Black/Compartmented – Granted on a need to know (NTK) basis. Ex: Sensitive Compartmented Information (SCI).
  • Unclassified
    • For Official Use Only
    • Unclassified but Sensitive Information
    • Unclassified
infosec requirements in the government
InfoSec Requirements in the Government
  • InfoSec policy – laws, rules, practices that regulate how organizations handle national security data.
  • Accountability – assigning responsibility and accountability to individuals or groups who deal with national security information
  • Assurance – guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy
  • Documentation – records how a system is structured, its functions and how the system was designed
infosec objectives in the government
InfoSec Objectives in the Government
  • Protect and defend all information used by an AIS (automated information system)
  • Prevent unauthorized access, modification, damage, destruction, or DoS
  • Provide assurances of:
    • Compliance with government and contractual obligations and agreements
    • Confidentiality of all classified information
    • Integrity of information and related processes
    • Availability of information
    • Usage by authorized personnel only of the information and AIS
  • Identification and elimination of fraud, waste, and abuse
isso at gov t agencies
ISSO at Gov’t Agencies
  • Maintain a plan site security improvement
  • Ensure IS systems are operated, used, maintained and disposed of properly
  • Ensure IS systems are certified and accredited
  • Ensure users and personnel have required security clearances, authorization, NTK, and are familiar with internal security practices
  • Enforce security policies and safeguards on personnel having access to an IS
  • Ensure audit trails are reviewed periodically
  • Initiate protective and corrective measures
  • Report security incidents in accordance with agency specific policy
  • Report the security status of the IS
  • Evaluate know vulnerabilities to determine if additional security is needed
levels of performance
Levels of Performance
  • Entry Level
    • Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance.
  • Intermediate Level
    • For a new system architecture, investigate and document system security technology, policies and training requirements to assure system operation at a specified level of assurance
  • Advanced Level
    • For an accreditation action, analyze and evaluate system security technology, policy and training requirements in support of upper management. The analysis will include a description of the management/technology team required to successfully complete the accreditation process
duties of gov t isso
Duties of Gov’t ISSO
  • Develop Certification and Accreditation Posture
    • Plan for Certification and Accreditation
    • Create CIA Policy
    • Control Systems Policy
    • Culture and Ethics
    • Incidence Response
  • Implement Site Security Policy
    • Provide CIA
    • Ensure Facility is approved
    • Manage Operations of Information Systems
    • Regulate General Principles
      • Access Control, Training, Awareness, Legal aspects, CC, etc
    • Security Management
    • Access Controls
      • Human Access
      • Key Management
    • Incident Response
duties continued
Duties (continued)
  • Enforce and verify system security policy
    • CIA and Accountability
    • Security Management
    • Access Controls
    • Automated Security Tools
    • Handling Media
    • Incident Response
  • Report on site security Status
    • Security Continuity Reporting
    • Report Security Incidents
    • Law
    • Report Security Status of IS as required by upper management
    • Report to Inspector General (IG)
duties continued1
Duties (continued)
  • Support Certification and Accreditation
    • Certification Functions
    • Accreditation Functions
    • Respond to upper management requests
  • Kovacich, Dr. Gerald L., “The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program”
  • “Information Assurance Training Standard for Information Systems Security Officers”