Information Systems Security Officer

advertisement
Information Systems Security Officer
CS 996: Information Security Management
Pavel Margolin
4/20/05
Overview
Who is an ISSO?
 Duties and Responsibilities
 Planning
 Establishing the CIAPP
 InfoSec Functions
 InfoSec in the Government

Who is an ISSO?




ISSO – Information Systems Security
Officer
Reports to the Chief Information Officer
(CIO), who reports to the CEO.
Leader of the Information Security
(InfoSec) organization.
Qualifications



Manage and organize people
Communicate to upper management without
much technical details
Have enough technical expertise to understand
systems and make decisions
Duties and Responsibilities
Establishing and enforcing Corporate
Information Assets Protection
Program (CIAPP)
 Managing people
 Managing the business of CIAPP
 Managing CIAPP processes
 Hiring InfoSec staff
 Report to upper management

Planning

Strategic Plan (ISSSP)



Tactical Plan (ITP)



Compatible with Strategic Business Plan
Long-term direction, goals, and objectives
Short-range plan
Supports CIAPP and InfoSec functional goals
and objectives
Annual Plan (IAP)


Identify and implement projects to accomplish
the goals and objectives in the ISSSP and ITP
Plan of projects for the year
Establishing the CIAPP










Reasons for the CIAPP
Corporate vision, mission, and quality statements
Corporate strategic, tactical, and annual business
plans
InfoSec vision, mission and quality statements
InfoSec strategic, tactical and annual business plans
Information and systems legal, ethical, and best
business practices
Overall information assets protection plans, policies,
and procedures
Current CIAPP-related and InfoSec policies
Current CIAPP-related and InfoSec procedures
Other topics as deemed appropriate by the ISSO
CIAPP Process
Costs
Profits
Sales
Public Relations
Stockholders’ value
Laws
Regulations
Business Practices
Ethics
•Risk Assessments
•Vulnerability
assessments
•Threat Assessments
•Limited Risk
assessments
•Risk analyses
•Best InfoSec
Practices
Business Decisions
InfoSec
Policies
InfoSec
Procedures
CIAPP
InfoSec
Processes
Example CIAPP Requirements
and Policy Directive
Introduction Section
Purpose Section
Scope Section
Responsibilities
Requirements Section
1.
2.
3.
4.
5.
A.
B.
C.
D.
E.
F.
G.
Identifying the value of the information
Access to information systems
Access to specific applications and files
Audit trails and their review
Reporting and response in the event of a violation
Minimum protection requirements for the hardware, firmware
and software
Requirements for InfoSec procedures at other departments
and lower levels of the corporation
Physical Security
6.

Optional if Physical Security is handled by the Director of
Security
InfoSec Functions









Processes
Valuing Information
Awareness
Access Control
Evaluation of all hardware, firmware and
software
Risk Management
Security Tests and evaluations program
Noncompliance Inquiries
Contingency and emergency planning and
disaster recovery program (CEP-DR)
Function Drivers
Requirements-Drivers
•Customers
•Contracts
•InfoSec Custodians
•Users
•Management
•Audits
•Tests & Evaluations
•Other employees
•Laws
•Regulations
•Non-compliance Inquiries
•Investigations
•Trade articles
•Technical Bulletings
•Business Plans
•ISSO’s plans
•Best business practices
•Best InfoSec practices
CIAPP
ISSO’s CIAPP
organizational
requirements
Responsibilities
Charter
ISSO Organizational Functions
•Identification of InfoSec
requirements
•Access control
•Non-compliance Inquiries (NCI)
•Disaster Recovery/Emergency
Planning
•Tests and Evaluations
•Intranet Security
•Internet and Web Site Security
•Security Applications Protection
•Security Software Development
•Software Interface InfoSec
Evaluations
•Access Control Violations Analysis
•Systems’ Approvals
•CIAPP Awareness and Training
•Contractual Compliance
Inspections
•InfoSec Risk Management
InfoSec in the Government

National Security Classified Information





Confidential – loss of this information can cause
damage to national security
Secret – loss of this information can cause
serious damage to national security
Top Secret – loss of this information can cause
grave damage to national security
Black/Compartmented – Granted on a need to
know (NTK) basis. Ex: Sensitive
Compartmented Information (SCI).
Unclassified



For Official Use Only
Unclassified but Sensitive Information
Unclassified
InfoSec Requirements in the
Government




InfoSec policy – laws, rules, practices that
regulate how organizations handle national
security data.
Accountability – assigning responsibility
and accountability to individuals or groups
who deal with national security information
Assurance – guarantees that the InfoSec
policy is implemented correctly and the
InfoSec elements accurately mediate and
enforce the policy
Documentation – records how a system is
structured, its functions and how the
system was designed
InfoSec Objectives in the Government



Protect and defend all information used by an AIS
(automated information system)
Prevent unauthorized access, modification,
damage, destruction, or DoS
Provide assurances of:






Compliance with government and contractual obligations
and agreements
Confidentiality of all classified information
Integrity of information and related processes
Availability of information
Usage by authorized personnel only of the information
and AIS
Identification and elimination of fraud, waste, and
abuse
ISSO at Gov’t Agencies










Maintain a plan site security improvement
Ensure IS systems are operated, used, maintained and
disposed of properly
Ensure IS systems are certified and accredited
Ensure users and personnel have required security
clearances, authorization, NTK, and are familiar with
internal security practices
Enforce security policies and safeguards on personnel
having access to an IS
Ensure audit trails are reviewed periodically
Initiate protective and corrective measures
Report security incidents in accordance with agency
specific policy
Report the security status of the IS
Evaluate know vulnerabilities to determine if additional
security is needed
Levels of Performance

Entry Level


Intermediate Level


Identify vulnerabilities and recommend security solutions
required to return the system to an operational level of
assurance.
For a new system architecture, investigate and document
system security technology, policies and training
requirements to assure system operation at a specified
level of assurance
Advanced Level

For an accreditation action, analyze and evaluate system
security technology, policy and training requirements in
support of upper management. The analysis will include a
description of the management/technology team required
to successfully complete the accreditation process
Duties of Gov’t ISSO

Develop Certification and Accreditation Posture






Plan for Certification and Accreditation
Create CIA Policy
Control Systems Policy
Culture and Ethics
Incidence Response
Implement Site Security Policy




Provide CIA
Ensure Facility is approved
Manage Operations of Information Systems
Regulate General Principles



Security Management
Access Controls



Access Control, Training, Awareness, Legal aspects, CC, etc
Human Access
Key Management
Incident Response
Duties (continued)

Enforce and verify system security policy







CIA and Accountability
Security Management
Access Controls
Automated Security Tools
Handling Media
Incident Response
Report on site security Status





Security Continuity Reporting
Report Security Incidents
Law
Report Security Status of IS as required by upper
management
Report to Inspector General (IG)
Duties (continued)

Support Certification and
Accreditation
Certification Functions
 Accreditation Functions
 Respond to upper management requests

References


Kovacich, Dr. Gerald L., “The Information
Systems Security Officer’s Guide:
Establishing and Managing an Information
Protection Program”
“Information Assurance Training Standard
for Information Systems Security Officers”
http://www.cnss.gov/instructions.html
Download