Information systems security officer
1 / 19

Information Systems Security Officer - PowerPoint PPT Presentation

  • Uploaded on

Information Systems Security Officer. CS 996: Information Security Management Pavel Margolin 4/20/05. Overview. Who is an ISSO? Duties and Responsibilities Planning Establishing the CIAPP InfoSec Functions InfoSec in the Government. Who is an ISSO?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Information Systems Security Officer' - mason

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Information systems security officer

Information Systems Security Officer

CS 996: Information Security Management

Pavel Margolin



  • Who is an ISSO?

  • Duties and Responsibilities

  • Planning

  • Establishing the CIAPP

  • InfoSec Functions

  • InfoSec in the Government

Who is an isso
Who is an ISSO?

  • ISSO – Information Systems Security Officer

  • Reports to the Chief Information Officer (CIO), who reports to the CEO.

  • Leader of the Information Security (InfoSec) organization.

  • Qualifications

    • Manage and organize people

    • Communicate to upper management without much technical details

    • Have enough technical expertise to understand systems and make decisions

Duties and responsibilities
Duties and Responsibilities

  • Establishing and enforcing Corporate Information Assets Protection Program (CIAPP)

  • Managing people

  • Managing the business of CIAPP

  • Managing CIAPP processes

  • Hiring InfoSec staff

  • Report to upper management


  • Strategic Plan (ISSSP)

    • Compatible with Strategic Business Plan

    • Long-term direction, goals, and objectives

  • Tactical Plan (ITP)

    • Short-range plan

    • Supports CIAPP and InfoSec functional goals and objectives

  • Annual Plan (IAP)

    • Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP

    • Plan of projects for the year

Establishing the ciapp
Establishing the CIAPP

  • Reasons for the CIAPP

  • Corporate vision, mission, and quality statements

  • Corporate strategic, tactical, and annual business plans

  • InfoSec vision, mission and quality statements

  • InfoSec strategic, tactical and annual business plans

  • Information and systems legal, ethical, and best business practices

  • Overall information assets protection plans, policies, and procedures

  • Current CIAPP-related and InfoSec policies

  • Current CIAPP-related and InfoSec procedures

  • Other topics as deemed appropriate by the ISSO

Ciapp process



Business Practices


  • Risk Assessments

  • Vulnerability assessments

  • Threat Assessments

  • Limited Risk assessments

  • Risk analyses

  • Best InfoSec Practices

CIAPP Process




Public Relations

Stockholders’ value

Business Decisions

InfoSec Policies

InfoSec Procedures

InfoSec Processes


Example ciapp requirements and policy directive
Example CIAPP Requirements and Policy Directive

  • Introduction Section

  • Purpose Section

  • Scope Section

  • Responsibilities

  • Requirements Section

    • Identifying the value of the information

    • Access to information systems

    • Access to specific applications and files

    • Audit trails and their review

    • Reporting and response in the event of a violation

    • Minimum protection requirements for the hardware, firmware and software

    • Requirements for InfoSec procedures at other departments and lower levels of the corporation

  • Physical Security

    • Optional if Physical Security is handled by the Director of Security

Infosec functions
InfoSec Functions

  • Processes

  • Valuing Information

  • Awareness

  • Access Control

  • Evaluation of all hardware, firmware and software

  • Risk Management

  • Security Tests and evaluations program

  • Noncompliance Inquiries

  • Contingency and emergency planning and disaster recovery program (CEP-DR)

Function drivers
Function Drivers

  • Requirements-Drivers

  • Customers

  • Contracts

  • InfoSec Custodians

  • Users

  • Management

  • Audits

  • Tests & Evaluations

  • Other employees

  • Laws

  • Regulations

  • Non-compliance Inquiries

  • Investigations

  • Trade articles

  • Technical Bulletings

  • Business Plans

  • ISSO’s plans

  • Best business practices

  • Best InfoSec practices

  • ISSO Organizational Functions

  • Identification of InfoSec requirements

  • Access control

  • Non-compliance Inquiries (NCI)

  • Disaster Recovery/Emergency Planning

  • Tests and Evaluations

  • Intranet Security

  • Internet and Web Site Security

  • Security Applications Protection

  • Security Software Development

  • Software Interface InfoSec Evaluations

  • Access Control Violations Analysis

  • Systems’ Approvals

  • CIAPP Awareness and Training

  • Contractual Compliance Inspections

  • InfoSec Risk Management


ISSO’s CIAPP organizational requirements

Responsibilities Charter

Infosec in the government
InfoSec in the Government

  • National Security Classified Information

    • Confidential – loss of this information can cause damage to national security

    • Secret – loss of this information can cause serious damage to national security

    • Top Secret – loss of this information can cause grave damage to national security

    • Black/Compartmented – Granted on a need to know (NTK) basis. Ex: Sensitive Compartmented Information (SCI).

  • Unclassified

    • For Official Use Only

    • Unclassified but Sensitive Information

    • Unclassified

Infosec requirements in the government
InfoSec Requirements in the Government

  • InfoSec policy – laws, rules, practices that regulate how organizations handle national security data.

  • Accountability – assigning responsibility and accountability to individuals or groups who deal with national security information

  • Assurance – guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy

  • Documentation – records how a system is structured, its functions and how the system was designed

Infosec objectives in the government
InfoSec Objectives in the Government

  • Protect and defend all information used by an AIS (automated information system)

  • Prevent unauthorized access, modification, damage, destruction, or DoS

  • Provide assurances of:

    • Compliance with government and contractual obligations and agreements

    • Confidentiality of all classified information

    • Integrity of information and related processes

    • Availability of information

    • Usage by authorized personnel only of the information and AIS

  • Identification and elimination of fraud, waste, and abuse

Isso at gov t agencies
ISSO at Gov’t Agencies

  • Maintain a plan site security improvement

  • Ensure IS systems are operated, used, maintained and disposed of properly

  • Ensure IS systems are certified and accredited

  • Ensure users and personnel have required security clearances, authorization, NTK, and are familiar with internal security practices

  • Enforce security policies and safeguards on personnel having access to an IS

  • Ensure audit trails are reviewed periodically

  • Initiate protective and corrective measures

  • Report security incidents in accordance with agency specific policy

  • Report the security status of the IS

  • Evaluate know vulnerabilities to determine if additional security is needed

Levels of performance
Levels of Performance

  • Entry Level

    • Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance.

  • Intermediate Level

    • For a new system architecture, investigate and document system security technology, policies and training requirements to assure system operation at a specified level of assurance

  • Advanced Level

    • For an accreditation action, analyze and evaluate system security technology, policy and training requirements in support of upper management. The analysis will include a description of the management/technology team required to successfully complete the accreditation process

Duties of gov t isso
Duties of Gov’t ISSO

  • Develop Certification and Accreditation Posture

    • Plan for Certification and Accreditation

    • Create CIA Policy

    • Control Systems Policy

    • Culture and Ethics

    • Incidence Response

  • Implement Site Security Policy

    • Provide CIA

    • Ensure Facility is approved

    • Manage Operations of Information Systems

    • Regulate General Principles

      • Access Control, Training, Awareness, Legal aspects, CC, etc

    • Security Management

    • Access Controls

      • Human Access

      • Key Management

    • Incident Response

Duties continued
Duties (continued)

  • Enforce and verify system security policy

    • CIA and Accountability

    • Security Management

    • Access Controls

    • Automated Security Tools

    • Handling Media

    • Incident Response

  • Report on site security Status

    • Security Continuity Reporting

    • Report Security Incidents

    • Law

    • Report Security Status of IS as required by upper management

    • Report to Inspector General (IG)

Duties continued1
Duties (continued)

  • Support Certification and Accreditation

    • Certification Functions

    • Accreditation Functions

    • Respond to upper management requests


  • Kovacich, Dr. Gerald L., “The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program”

  • “Information Assurance Training Standard for Information Systems Security Officers”