1 / 62

Chapter 5 Developing the Security Program

Chapter 5 Developing the Security Program. Presented by: Jennifer, Sergey & Kalagee Slides by: Ryan. Outline. Introduction Organizing for Security Information Security Placement Components of the Security Program Information Security Roles and Titles

sjimenez
Download Presentation

Chapter 5 Developing the Security Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 Developing the Security Program Presented by: Jennifer, Sergey & Kalagee Slides by: Ryan

  2. Outline • Introduction • Organizing for Security • Information Security Placement • Components of the Security Program • Information Security Roles and Titles • Security Education, Training, and Awareness

  3. Introduction • Security Program • Entire set of personnel, plans, and policies related to Information Security • Information Security • Corporate or physical security • Information Security Program • Structured effort to contain risks to information assets

  4. Organizing for Security • Security Program Influences • Organizational culture • Company size and available resources • Security personnel and capital budget

  5. Organization Sizes • Small (10-100 computers) • 20% of IT budget • Medium (100-1,000 computers) • 11% of IT budget • Large (1,000-10,000 computers) • 5% of IT budget security • Very Large (10,000+ computers) • 6% of IT budget

  6. Risk Assessment Risk Management Systems Testing Policy Legal Assessment Incident Response Planning Vulnerability Assessment Measurement Compliance Centralized Authentication Systems Security Administration Training Network Security Administration Information Security Functions

  7. Security Function Distribution • Non-technology business units • Legal assessment and training • IT groups outside of information security • Systems and network administration • Information security as customer service • Planning, testing, risk assessment, incident response, vulnerability assessment • Information security as compliance enforcement • Policy, compliance, and risk management

  8. Large Org. Staffing

  9. Very Large Org. Staffing

  10. Medium Org. Staffing

  11. Small Org. Staffing

  12. Security Placement • Openness to new ideas • Clout with top management • Respect in the eyes of a wide variety of employees • Comfort and familiarity with information security concepts • Willingness to defend the best interest of the organization in the long run

  13. IT Security Administrative Services Insurance and Risk Management Strategy and Planning Legal Internal Audit Help Desk Accounting and Finance Through IT Human Resources Facilities Management Operations Security Placement Locations

  14. IT

  15. Security

  16. Administrative Services

  17. Insurance & Risk

  18. Strategy & Planning

  19. Legal

  20. Other Options • Internal Audit • Help Desk • Accounting and Finance Through IT • Human Resources • Facilities Management • Operations

  21. Components of the Security Program • InfoSec needs are unique to culture, size, and budget of organization • Guided by mission and vision statements • CIO and CISO use mission and vision statements to formulate InfoSec program mission statement 21

  22. Elements of a Security Program (NIST) • Policy • Program management • Risk management • Life-cycle planning • Personnel and user issues • Contingency and disaster recovery planning • Computer security incident handling 22

  23. Elements of a Security Program (NIST) • Awareness and training • Security considerations • Physical and environmental security • Identification and authentication • Logical access control • Audit trails • Cryptography 23

  24. Information Security Roles and Titles • Those that define • Provide policies, guidelines, and standards • Those that build • Create and install security solutions • Those that administer • Monitor and improve the security process 24

  25. Job Function Categories • Chief Information Security Officer (CISO) • Security manager • Security administrator/analyst • Security technician • Security staffer • Security consultant • Security officer and investigator • Help desk personnel 25

  26. Chief Information Security Officer (CISO) • Assessment, management, and implementation of the InfoSec program • Other Titles • Manager for Security • Security Administrator • Most cases reports to CIO 26

  27. Security Manager • Oversee day-to-day operation of the InfoSec program • Scheduling • Setting priorities • Administering procedural tasks • Report to CISO • Some technical knowledge 27

  28. Security Administrator/Analyst • Have both technical knowledge and managerial skill • Manage day-to-day operation of the InfoSec program • Assist in development and delivery of training programs and policies 28

  29. Security Technician • Subject matter experts • Implement security software • Diagnose and troubleshoot problems • Coordinate with administrators to ensure security is properly implemented • Tend to be specialized 29

  30. Security Staffer • Individuals who perform routine watch-standing activities • Intrusion detection consoles • Monitor email • Perform routine, yet critical, tasks 30

  31. Security Consultants • Expert in some aspect of InfoSec • Disaster recovery • Business continuity planning • Policy development • Strategic planning 31

  32. Security Officers and Investigators • Sometimes necessary to protect highly sensitive data from physical threats • Three G’s of physical security • Guards • Gates • Guns 32

  33. Help Desk Personnel • Enhances security team’s ability to identify potential problems • Must be prepared to identify and diagnose problems • Traditional technical problems • Threats to information security 33

  34. Security Education, Training, and Awareness (SETA) • Responsibility of CISO • Designed to reduce accidental security breaches • Can improve employee behavior • Inform members of the organization about where to report violations of policy • Allows organizations to hold employees accountable for their actions 34

  35. Purpose of SETA • Enhance security • By building in-depth knowledge to design, implement, or operate security programs for organizations and systems • By developing skills and knowledge so that computer users can perform their jobs more securely • By improving awareness of the need to protect system resources 35

  36. Security Education • Information security training programs must address: • Information security educational components • General education requirements 36

  37. Developing InfoSec Curricula • InfoSec standards • ACM • IEEE • ABET • No security curricula models 37

  38. Developing InfoSec Curricula • Must carefully map expected learning outcomes • Knowledge map • Helps potential students assess various InfoSec programs • Identifies skills and knowledge clusters obtained by program graduates 38

  39. InfoSec Knowledge Map 39

  40. Security Training • Provides employees with hands-on training • In-house or outsourced • NIST provides free InfoSec training documents • NIST SP 800-16 40

  41. Security Training • Customizing training by functional background • General user • Managerial user • Technical user • Job category • Job function • Technology product 41

  42. Security Training • Customizing training by skill level • Novice • Intermediate • Advanced 42

  43. Training for General Users • Commonly during employee orientation • Employees are educated on a wide variety of policies • Good security practices • Password management • Specialized access controls • Violation reporting 43

  44. Training for Managerial Users • Similar to general training • More personalized • Small groups • More interaction and discussion 44

  45. Training for Technical Users • Developing advanced technical training • By job category • By job function • By technology product 45

  46. Training Techniques • Use correct teaching methods • Take advantage of latest learning technology • Use best practices • On-site training is beneficial

  47. Delivery Methods • Delivery method choice is influenced by • Budget • Scheduling • Needs of organization • Delivery methods • One-on-one • Formal Class • Computer-Based Training (CBT)

  48. Delivery Methods (cont) • Distance learning • Web Seminars • User Support Group • On-Site Training • Self-Study

  49. Selecting Training Staff • Local training program • Continuing education department • External training agency • Hire a professional trainer • Hire a consultant, or someone from an accredited institution to conduct on-site training • organize and conduct training in-house using its own employees.

  50. Implementing Training • Identify program scope, goals and objectives • Identify training staff • Identify target audiences • Motivate management and employees • Administer the program • Maintain the program • Evaluate the program

More Related