Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Stu-Chapter5 - EECS People Web Server

advertisement 
Chapter 5
Developing the Security
Program
Presented by: Jennifer, Sergey & Kalagee
Slides by: Ryan
Outline
•
•
•
•
•
•
Introduction
Organizing for Security
Information Security Placement
Components of the Security Program
Information Security Roles and Titles
Security Education, Training, and
Awareness
2
Introduction
• Security Program
– Entire set of personnel, plans, and policies
related to Information Security
• Information Security
– Corporate or physical security
• Information Security Program
– Structured effort to contain risks to information
assets
3
Organizing for Security
• Security Program Influences
– Organizational culture
– Company size and available resources
– Security personnel and capital budget
4
Organization Sizes
• Small (10-100 computers)
– 20% of IT budget
• Medium (100-1,000 computers)
– 11% of IT budget
• Large (1,000-10,000 computers)
– 5% of IT budget security
• Very Large (10,000+ computers)
– 6% of IT budget
5
Information Security
Functions
•
•
•
•
•
•
•
•
• Measurement
• Compliance
• Centralized
Authentication
• Systems Security
Administration
• Training
• Network Security
Administration
Risk Assessment
Risk Management
Systems Testing
Policy
Legal Assessment
Incident Response
Planning
Vulnerability
Assessment
6
Security Function Distribution
• Non-technology business units
– Legal assessment and training
• IT groups outside of information security
– Systems and network administration
• Information security as customer service
– Planning, testing, risk assessment, incident
response, vulnerability assessment
• Information security as compliance enforcement
– Policy, compliance, and risk management
7
Large Org. Staffing
8
Very Large Org. Staffing
9
Medium Org. Staffing
10
Small Org. Staffing
11
Security Placement
• Openness to new ideas
• Clout with top management
• Respect in the eyes of a wide variety of
employees
• Comfort and familiarity with information
security concepts
• Willingness to defend the best interest of
the organization in the long run
12
Security Placement Locations
•
•
•
•
• Internal Audit
• Help Desk
• Accounting and Finance
Through IT
• Human Resources
• Facilities Management
• Operations
IT
Security
Administrative Services
Insurance and Risk
Management
• Strategy and Planning
• Legal
13
IT
14
Security
15
Administrative Services
16
Insurance & Risk
17
Strategy & Planning
18
Legal
19
Other Options
•
•
•
•
•
•
Internal Audit
Help Desk
Accounting and Finance Through IT
Human Resources
Facilities Management
Operations
20
Components of the Security
Program
• InfoSec needs are unique to culture,
size, and budget of organization
• Guided by mission and vision
statements
• CIO and CISO use mission and vision
statements to formulate InfoSec
program mission statement
21
Elements of a Security
Program (NIST)
•
•
•
•
•
•
Policy
Program management
Risk management
Life-cycle planning
Personnel and user issues
Contingency and disaster recovery
planning
• Computer security incident handling
22
Elements of a Security
Program (NIST)
•
•
•
•
•
•
•
Awareness and training
Security considerations
Physical and environmental security
Identification and authentication
Logical access control
Audit trails
Cryptography
23
Information Security
Roles and Titles
• Those that define
– Provide policies, guidelines, and standards
• Those that build
– Create and install security solutions
• Those that administer
– Monitor and improve the security process
24
Job Function Categories
•
•
•
•
•
•
•
•
Chief Information Security Officer (CISO)
Security manager
Security administrator/analyst
Security technician
Security staffer
Security consultant
Security officer and investigator
Help desk personnel
25
Chief Information Security Officer
(CISO)
• Assessment, management, and
implementation of the InfoSec program
• Other Titles
– Manager for Security
– Security Administrator
• Most cases reports to CIO
26
Security Manager
• Oversee day-to-day operation of the
InfoSec program
– Scheduling
– Setting priorities
– Administering procedural tasks
• Report to CISO
• Some technical knowledge
27
Security Administrator/Analyst
• Have both technical knowledge and
managerial skill
• Manage day-to-day operation of the
InfoSec program
• Assist in development and delivery of
training programs and policies
28
Security Technician
•
•
•
•
Subject matter experts
Implement security software
Diagnose and troubleshoot problems
Coordinate with administrators to
ensure security is properly implemented
• Tend to be specialized
29
Security Staffer
• Individuals who perform routine watchstanding activities
– Intrusion detection consoles
– Monitor email
– Perform routine, yet critical, tasks
30
Security Consultants
• Expert in some aspect of InfoSec
– Disaster recovery
– Business continuity planning
– Policy development
– Strategic planning
31
Security Officers and
Investigators
• Sometimes necessary to protect highly
sensitive data from physical threats
• Three G’s of physical security
– Guards
– Gates
– Guns
32
Help Desk Personnel
• Enhances security team’s ability to
identify potential problems
• Must be prepared to identify and
diagnose problems
– Traditional technical problems
– Threats to information security
33
Security Education, Training, and
Awareness (SETA)
• Responsibility of CISO
• Designed to reduce accidental security
breaches
• Can improve employee behavior
• Inform members of the organization
about where to report violations of
policy
• Allows organizations to hold employees
accountable for their actions
34
Purpose of SETA
• Enhance security
– By building in-depth knowledge to design,
implement, or operate security programs
for organizations and systems
– By developing skills and knowledge so that
computer users can perform their jobs
more securely
– By improving awareness of the need to
protect system resources
35
Security Education
• Information security training programs
must address:
– Information security educational
components
– General education requirements
36
Developing InfoSec Curricula
• InfoSec standards
– ACM
– IEEE
– ABET
• No security curricula models
37
Developing InfoSec Curricula
• Must carefully map expected learning
outcomes
• Knowledge map
– Helps potential students assess various
InfoSec programs
– Identifies skills and knowledge clusters
obtained by program graduates
38
InfoSec Knowledge Map
39
Security Training
• Provides employees with hands-on
training
• In-house or outsourced
• NIST provides free InfoSec training
documents
– NIST SP 800-16
40
Security Training
• Customizing training by functional
background
– General user
– Managerial user
– Technical user
• Job category
• Job function
• Technology product
41
Security Training
• Customizing training by skill level
– Novice
– Intermediate
– Advanced
42
Training for General Users
• Commonly during employee orientation
• Employees are educated on a wide
variety of policies
– Good security practices
– Password management
– Specialized access controls
– Violation reporting
43
Training for Managerial Users
•
•
•
•
Similar to general training
More personalized
Small groups
More interaction and discussion
44
Training for Technical Users
• Developing advanced technical training
– By job category
– By job function
– By technology product
45
Training Techniques
• Use correct teaching methods
• Take advantage of latest learning
technology
• Use best practices
• On-site training is beneficial
46
Delivery Methods
• Delivery method choice is influenced by
– Budget
– Scheduling
– Needs of organization
• Delivery methods
– One-on-one
– Formal Class
– Computer-Based Training (CBT)
47
Delivery Methods (cont)
•
•
•
•
•
Distance learning
Web Seminars
User Support Group
On-Site Training
Self-Study
48
Selecting Training Staff
•
•
•
•
•
Local training program
Continuing education department
External training agency
Hire a professional trainer
Hire a consultant, or someone from an
accredited institution to conduct on-site
training
• organize and conduct training in-house using
its own employees.
49
Implementing Training
1. Identify program scope, goals and
objectives
2. Identify training staff
3. Identify target audiences
4. Motivate management and employees
5. Administer the program
6. Maintain the program
7. Evaluate the program
50
Security Awareness
• Change organizational
culture to realize
importance of InfoSec
• Users need to be
reminded of the
standards and
procedures
• Gives employees sense
of responsibility and
importance
51
Security Awareness Program
•
•
•
•
•
•
Focus on people
Don’t use technical jargon
Use every available medium
Defines a learning objective
Helps users understand their roles
Don’t overload users with too much
information
• Take advantage of in-house communication
• Make the awareness program formal
• Provide good information early
52
Employee Behavior and
Awareness
• Educate employees on how to
– Properly handle information
– Use applications
– Operate within the organization
• This minimizes risk of accidental
compromise, damage, or destruction of
information
53
Employee Accountability
• Effective training programs make
employees accountable for their actions
• “Ignorance of the law excuses no one”
• A constant reminder of the
consequences of abusing or misusing
information resources can help protect
the organization against lawsuits
54
Awareness Techniques
• Changes based on intended audience
• Security awareness program
– can use many methods to deliver its
message
– developed with the assumption that people
tend to practice a tuning out process
– awareness techniques should be creative
and frequently changed
55
Developing Security Awareness
Components
• Videos
• Posters and banners
• Lectures and
conferences
• Computer-based
training
• Newsletters
• Brochures and flyers
• Trinkets
• Bulletin boards
56
Posters
57
Newsletters
• Cost-effective
• Distributed via e-mails, hard-copy or
intranet
• Consists of front page, index, volume,
contact information.
• May contains articles, policies, how-to’s,
security events, upgrades, incidents,
etc.
58
Trinket Program
• Most expensive
• Gets attention
instantly
• Mugs, calendars, tshirts, pens,
holders, etc.
59
InfoSec Awareness Website
Tips
– Don’t reinvent
– Plan ahead
– Minimal page loading time
– Attractive look and feel
– Always seek feedback
– Test everything. Assume nothing
– Promote the website
60
Conclusions
• Information security programs can be
dramatically different for organizations of
varying size but they all have the same goal
– To secure information and information assets
• This is achieved by
– Optimal placement of InfoSec within organization
– Security, education, and awareness training
(SETA)
61
Questions?
62
Related documents
Chapter 5
Chapter 5
Introduction to the Management of Information Security
Introduction to the Management of Information Security
Chapter Overview - School of Information Sciences
Chapter Overview - School of Information Sciences
Introduction
Introduction
TEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management
Information Systems Security Officer
Information Systems Security Officer
ENISA Creating the platform for an EU Culture of Network and Information Security
ENISA Creating the platform for an EU Culture of Network and Information Security
Download
advertisement