Developing the Security
Program
Organizing for Security
As shown in Figure 5- 1, a typical large organization has an
average of one to two full-time security managers, three to four
full-time administrators/technicians, and as many as 16 parttime
staff members who have InfoSec duties in addition to their duties
in other areas. For example, a systems administrator of a
Windows 2016 server may be responsible for maintaining both
the server and the security applications running on it. The very
large organization, as illustrated in Figure 5- 2, may have more
than 20 full-time security personnel and 40 or more individuals
with part-time responsibilities.
Figure 5-4 shows the limited staffing found in smaller organizations, which
typically have either one individual who has full-time duties in InfoSec or, more
likely, one individual who manages or conducts InfoSec duties in addition to those
of other functional areas, most likely IT. This individual may have partial
supervision of one or two assistants.
Placing Information Security Within an
Organization
In large organizations, the InfoSec department is often located within an IT
division headed by the CISO, who reports directly to the CIO. Such a structure
implies that the goals and objectives of the CISO and CIO are closely aligned.
This is not always the case. By its very nature, an InfoSec program, operating as
a department within an IT division, may sometimes find itself at odds with the
goals and objectives of the broader IT division.
The vision of separate IT and InfoSec functions is shared by many executives. A
survey conducted by Meta Group found that while only three percent of the
consulting firm's clients positioned the InfoSec department outside IT, the
clients viewed this positioning as what a forward-thinking organization should
do.
Option 5: Strategy and Planning
In Figure 5-9, you will find still another possible organizational structure
found in the real world. Here the Information Security Department
reports to the Strategy and Planning Department. In this case, the
Information Security Department Manager reports directly to the Vice
President of Strategy and Planning. This option views the information
security function as critical to the success of the organization. This
option would be appropriate for an Internet merchant (a "dot-com"
enterprise) or a credit card company, both of which are critically
dependent on the success of the information security function.
Among the most critical of these components is personnel function and
their expectations, roles, responsibilities, and credentials. Maintaining
a secure environment requires that the InfoSec department be
carefully structured and staffed with appropriately skilled and screened
personnel. It also requires that the proper procedures be integrated
into all human resources (HR) activities, including hiring, training,
promotion, and termination practices.
Staffing the Security Function
Selecting an effective mix of InfoSec personnel for your organization requires that you
consider a number of criteria. Some of these criteria are within the control of the
organization; others are not, such as the supply and demand of various skills and experience
levels.
In general, when the demand for any commodity- including personnel with critical InfoSec
technical or managerial skills- rises quickly, the initial supply often fails to meet it. As
demand becomes known, professionals entering the job market or refocusing their job skills
seek to gain the required skills, experience, and credentials.
Once the supply is level with or higher than demand, organizations can become more
selective and no longer need to pay a premium for those skills. This process swings back and
forth like a clock pendulum because the real economy, unlike an econometric model, is
seldom in a state of equilibrium for long periods of time. For example, there was excess
demand for experienced enterprise resource planning (ERP) professionals in the 1990s and
for experienced Common Business-Oriented Language (COBOL) programmers at the turn of
the 21st century, because of concerns about Y2K issues.
Information Security Positions
Standardizing job descriptions can increase the degree of
professionalism in the field of InfoSec, as well as improve the
consistency of roles and responsibilities among organizations.
Chief Information Security Officer (CISO) Though not usually an executive-level position, the
chief information security officer (CISO) is usually considered the top InfoSec officer in the
organization. He or she frequently reports to the chief information officer (CIO), unless the
organization employs a chief security officer (CSO) who oversees both physical and InfoSec
areas.
Qualifications and Position Requirements
The most common qualifications for the CISO include working as a security manager as well
as experience in planning, policy, and budgets. The most common certifications include the
Certified Information Systems Security Professional (CISSP) and the Certified Information
Security Manager (CISM). A bachelor's degree is almost always required and a graduate
degree in business, technology, criminal justice, or anoth er related field is common as well.
Qualifications and Position Requirements
It has become increasingly common for a security manager to have a
CISSP or CISM. These individuals must have experience in traditional
business activities, including budgeting, project management,
personnel management, and hiring and firing, and they must be able to
draft middle-level and lower-level policies as well as standards and
guidelines. Experience with business continuity planning is usually
considered a plus.
Qualifications and Position Requirements
The technical qualifications and position requirements for a security technician vary
from one organization to another. Organizations typically prefer expert, certified,
proficient technicians.
Implementing Security Education, Training, and Awareness (SETA) Programs
Security Awareness
Project Management in Information Security
Project Management Tools
RISK MANAGEMENT: ASSESSING RISK
Introduction to the Management of Risk
in Information Security
The Information Security Risk Management Framework
Roles of Communities of Interest in Managing Risk
Additional tasks are performed by the governance group
during the framework design phase in cooperation with the
framework team. These tasks include:
• Ensuring compliance with all legal and regulatory statutes
and mandates
Executive
Governance
and Support
• Guiding the development of, and formally approving, the
RM policy
• Recommending performance measures for the RM effort
and ensuring that they
are compatible with other performance measures in the
organization
• Assigning roles and responsibilities
• Ensuring that the selected goals and objectives are
appropriate and in alignment
with the organization's strategic goals and objectives
• Providing needed resources
Framework
Design
In this stage, the framework team begins
designing the RM process by which the
organization will understand its current levels of
risk and determine what, if anything, it needs to
do to bring that level down to an acceptable level
in alignment with the risk appetite specified
earlier in the process.
Designing the RM program means not only
defining and specifying the detailed tasks to be
performed by the framework team, but also those
to be performed by the process team.
Once the framework itself has been designed and
completed at least one iteration, most of the work
of the framework team involves oversight of the
process rather than development of the
framework.
Framework Monitoring and Review
After the initial implementation and as the RM effort proceeds, the framework
team continues to monitor the conduct of the RM process while simultaneously
reviewing the utility and relative success of the framework planning function
itself. In the first few iterations, the framework team will examine how
successful it was in designing and implementing the RM framework, plan, and
RM process, and what issues required adjustments of the plan. The framework
itself only exists as a methodology to design and implement the process, so once
the framework is documented in the RM plan, the success of the process
becomes the greatest concern. Success or failure in the framework's planning
process may be relatively simple to resolve if addressed early, but issues
downstream in the actual RM process may require redesign all the way back up
to the framework and then modification of the RM plan.
The Risk Management Process
During the implementation phase of the RM framework, the RM plan guides
the implementation of the RM process, in which risk evaluation and
remediation of key assets are conducted. The three communities of interest
must work together to address every level of risk, ranging from full-scale
disasters (whether natural or human-made) to the smallest mistake made by
an employee. This process uses the specific knowledge and perspective of
the team to complete the following tasks:
RM Process Preparation-Establishing the Context
As the RM process team convenes, it is initially briefed by representatives of the
framework team, and possibly by the governance group. These groups seek to provide
executive guidance for the work to be performed by the RM process team, and to
ensure that the team's efforts are in alignment with managerial intent, as documented
in the RM policy and plan. The group is briefed on its responsibilities and set to its
work. The plan is reviewed and individual assignments given.
The context in this phase is the understanding of the external and internal
environments the RM team will be interacting with as it conducts the RM process. It
also means understanding the RM process as defined by the framework team and
having the internal knowledge and expertise to implement it. Finally, it means ensuring
that all members of the RM process team understand the organization's risk appetite
statement and are able to use the risk appetite to translate that statement into the
appropriate risk treatment when the time comes.
Risk Assessment: Risk Identification
Key Terms
Identification of Information Assets
The risk identification process begins with
the identification and cataloging of
information assets, including people,
procedures, data, software, hardware, and
networking elements. This step should be
done without prejudging the value of each
asset; values will be assigned later in the
process.
This simplistic approach may be best for organizations just starting out
in RM.
1. Identifying Hardware, Software, and Network Assets
2. Identifying People, Procedures, and Data Assets
3.
4.
5.
6.
Classifying and Categorizing Information Assets
Assessing the Value of Information Assets
Prioritizing (Rank Ordering) Information Assets
Associating Information Assets with Media
Threat Assessment
The ultimate goal of risk identification is to assess the
circumstances and setting of each information asset to reveal any
vulnerabilities. Armed with a properly classified inventory, you
can assess potential weaknesses in each information asset- a
process known as threat assessment.
Identifying Threats
12 categories of threats to InfoSec, which are listed alphabetically
in Table 6-3. Each of these threats presents a unique challenge to
InfoSec and must be handled with specific controls that directly
address the particular threat and the threat agent's attack
strategy. Before threats can be assessed in the risk identification
process, however, each threat must be further examined to
determine its potential to affect the targeted information asset. In
general, this process is referred to as threat assessment.
Assessing Threats
Not all threats endanger every organization, of course. Examine
each of the categories in Table 6-3 and eliminate any that do not
apply to your organization. It is unlikely that an organization can
eliminate an entire category of threats, but doing so speeds up
the threat assessment process. The Offline feature titled "Threats
to Information Security: Survey of Industry" describes the threats
that some CIOs of major companies identified for their
organizations. Although the feature directly addresses only
InfoSec, note that a weighted ranking of threats should be
compiled for any information asset that is at risk.
Risk Assessment: Risk Analysis
Assessing the relative risk for each vulnerability is accomplished via a
process called risk analysis. Risk analysis assigns a risk rating or score to
each specific vulnerability.
While this number does not mean anything in absolute terms, it enables you
to gauge the relative risk associated with each vulnerable information asset,
and it facilitates the creation of comparative ratings later in the risk treatment
process
Determining the Likelihood of a Threat Event
Likelihood is the overall rating- a numerical value on a defined scale- of the probability that a
specific vulnerability will be exploited or attacked.
Using this scale, the likelihood of a system being damaged by a water
leak could be rated as 1, while the likelihood of receiving at least one email that contains a virus or worm in the next year would be rated as 5.
You could also choose to use a different number scale, such as 1 to 10
or 1 to 100, depending on the granularity needed by the organization’s
process. Whatever rating system you employ for assigning likelihood,
use professionalism, experience, and judgment to determine the
rating- and use it consistently.
Assessing Potential Impact on Asset Value
Once the probability of an attack by a threat has been evaluated, the organization typically looks at the
possible impact or consequences of a successful attack. A feared consequence is the loss of asset value.
As mentioned in the section on assessing threats, the impact of an attack (most often as a loss in asset
value) is of great concern to the organization in determining where to focus its protection efforts. The
weighted tables used in risk identification can help organizations better understand the magnitude of a
successful breach. Another good source of information is popular media venues that report on successful
attacks in other organizations.
The use of a risk impact value similar to the one used for risk likelihood- ranging from o to 5- is shown in
Table 6-11
Risk Evaluation