Information systems security officer
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Information Systems Security Officer PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

Information Systems Security Officer. CS 996: Information Security Management Pavel Margolin 4/20/05. Overview. Who is an ISSO? Duties and Responsibilities Planning Establishing the CIAPP InfoSec Functions InfoSec in the Government. Who is an ISSO?.

Download Presentation

Information Systems Security Officer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information systems security officer

Information Systems Security Officer

CS 996: Information Security Management

Pavel Margolin

4/20/05


Overview

Overview

  • Who is an ISSO?

  • Duties and Responsibilities

  • Planning

  • Establishing the CIAPP

  • InfoSec Functions

  • InfoSec in the Government


Who is an isso

Who is an ISSO?

  • ISSO – Information Systems Security Officer

  • Reports to the Chief Information Officer (CIO), who reports to the CEO.

  • Leader of the Information Security (InfoSec) organization.

  • Qualifications

    • Manage and organize people

    • Communicate to upper management without much technical details

    • Have enough technical expertise to understand systems and make decisions


Duties and responsibilities

Duties and Responsibilities

  • Establishing and enforcing Corporate Information Assets Protection Program (CIAPP)

  • Managing people

  • Managing the business of CIAPP

  • Managing CIAPP processes

  • Hiring InfoSec staff

  • Report to upper management


Planning

Planning

  • Strategic Plan (ISSSP)

    • Compatible with Strategic Business Plan

    • Long-term direction, goals, and objectives

  • Tactical Plan (ITP)

    • Short-range plan

    • Supports CIAPP and InfoSec functional goals and objectives

  • Annual Plan (IAP)

    • Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP

    • Plan of projects for the year


Establishing the ciapp

Establishing the CIAPP

  • Reasons for the CIAPP

  • Corporate vision, mission, and quality statements

  • Corporate strategic, tactical, and annual business plans

  • InfoSec vision, mission and quality statements

  • InfoSec strategic, tactical and annual business plans

  • Information and systems legal, ethical, and best business practices

  • Overall information assets protection plans, policies, and procedures

  • Current CIAPP-related and InfoSec policies

  • Current CIAPP-related and InfoSec procedures

  • Other topics as deemed appropriate by the ISSO


Ciapp process

Laws

Regulations

Business Practices

Ethics

  • Risk Assessments

  • Vulnerability assessments

  • Threat Assessments

  • Limited Risk assessments

  • Risk analyses

  • Best InfoSec Practices

CIAPP Process

Costs

Profits

Sales

Public Relations

Stockholders’ value

Business Decisions

InfoSec Policies

InfoSec Procedures

InfoSec Processes

CIAPP


Example ciapp requirements and policy directive

Example CIAPP Requirements and Policy Directive

  • Introduction Section

  • Purpose Section

  • Scope Section

  • Responsibilities

  • Requirements Section

    • Identifying the value of the information

    • Access to information systems

    • Access to specific applications and files

    • Audit trails and their review

    • Reporting and response in the event of a violation

    • Minimum protection requirements for the hardware, firmware and software

    • Requirements for InfoSec procedures at other departments and lower levels of the corporation

  • Physical Security

    • Optional if Physical Security is handled by the Director of Security


Infosec functions

InfoSec Functions

  • Processes

  • Valuing Information

  • Awareness

  • Access Control

  • Evaluation of all hardware, firmware and software

  • Risk Management

  • Security Tests and evaluations program

  • Noncompliance Inquiries

  • Contingency and emergency planning and disaster recovery program (CEP-DR)


Function drivers

Function Drivers

  • Requirements-Drivers

  • Customers

  • Contracts

  • InfoSec Custodians

  • Users

  • Management

  • Audits

  • Tests & Evaluations

  • Other employees

  • Laws

  • Regulations

  • Non-compliance Inquiries

  • Investigations

  • Trade articles

  • Technical Bulletings

  • Business Plans

  • ISSO’s plans

  • Best business practices

  • Best InfoSec practices

  • ISSO Organizational Functions

  • Identification of InfoSec requirements

  • Access control

  • Non-compliance Inquiries (NCI)

  • Disaster Recovery/Emergency Planning

  • Tests and Evaluations

  • Intranet Security

  • Internet and Web Site Security

  • Security Applications Protection

  • Security Software Development

  • Software Interface InfoSec Evaluations

  • Access Control Violations Analysis

  • Systems’ Approvals

  • CIAPP Awareness and Training

  • Contractual Compliance Inspections

  • InfoSec Risk Management

CIAPP

ISSO’s CIAPP organizational requirements

Responsibilities Charter


Infosec in the government

InfoSec in the Government

  • National Security Classified Information

    • Confidential – loss of this information can cause damage to national security

    • Secret – loss of this information can cause serious damage to national security

    • Top Secret – loss of this information can cause grave damage to national security

    • Black/Compartmented – Granted on a need to know (NTK) basis. Ex: Sensitive Compartmented Information (SCI).

  • Unclassified

    • For Official Use Only

    • Unclassified but Sensitive Information

    • Unclassified


Infosec requirements in the government

InfoSec Requirements in the Government

  • InfoSec policy – laws, rules, practices that regulate how organizations handle national security data.

  • Accountability – assigning responsibility and accountability to individuals or groups who deal with national security information

  • Assurance – guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy

  • Documentation – records how a system is structured, its functions and how the system was designed


Infosec objectives in the government

InfoSec Objectives in the Government

  • Protect and defend all information used by an AIS (automated information system)

  • Prevent unauthorized access, modification, damage, destruction, or DoS

  • Provide assurances of:

    • Compliance with government and contractual obligations and agreements

    • Confidentiality of all classified information

    • Integrity of information and related processes

    • Availability of information

    • Usage by authorized personnel only of the information and AIS

  • Identification and elimination of fraud, waste, and abuse


Isso at gov t agencies

ISSO at Gov’t Agencies

  • Maintain a plan site security improvement

  • Ensure IS systems are operated, used, maintained and disposed of properly

  • Ensure IS systems are certified and accredited

  • Ensure users and personnel have required security clearances, authorization, NTK, and are familiar with internal security practices

  • Enforce security policies and safeguards on personnel having access to an IS

  • Ensure audit trails are reviewed periodically

  • Initiate protective and corrective measures

  • Report security incidents in accordance with agency specific policy

  • Report the security status of the IS

  • Evaluate know vulnerabilities to determine if additional security is needed


Levels of performance

Levels of Performance

  • Entry Level

    • Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance.

  • Intermediate Level

    • For a new system architecture, investigate and document system security technology, policies and training requirements to assure system operation at a specified level of assurance

  • Advanced Level

    • For an accreditation action, analyze and evaluate system security technology, policy and training requirements in support of upper management. The analysis will include a description of the management/technology team required to successfully complete the accreditation process


Duties of gov t isso

Duties of Gov’t ISSO

  • Develop Certification and Accreditation Posture

    • Plan for Certification and Accreditation

    • Create CIA Policy

    • Control Systems Policy

    • Culture and Ethics

    • Incidence Response

  • Implement Site Security Policy

    • Provide CIA

    • Ensure Facility is approved

    • Manage Operations of Information Systems

    • Regulate General Principles

      • Access Control, Training, Awareness, Legal aspects, CC, etc

    • Security Management

    • Access Controls

      • Human Access

      • Key Management

    • Incident Response


Duties continued

Duties (continued)

  • Enforce and verify system security policy

    • CIA and Accountability

    • Security Management

    • Access Controls

    • Automated Security Tools

    • Handling Media

    • Incident Response

  • Report on site security Status

    • Security Continuity Reporting

    • Report Security Incidents

    • Law

    • Report Security Status of IS as required by upper management

    • Report to Inspector General (IG)


Duties continued1

Duties (continued)

  • Support Certification and Accreditation

    • Certification Functions

    • Accreditation Functions

    • Respond to upper management requests


References

References

  • Kovacich, Dr. Gerald L., “The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program”

  • “Information Assurance Training Standard for Information Systems Security Officers” http://www.cnss.gov/instructions.html


  • Login