Security Organization Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu IST 515 Objectives This module will familiarize you with the following: • Security planning • Responsibilities of the chief information security officer (CISO). • Security organizational structure - reporting models. What is the most effectively security structure within an organization? • Security organization best practices. • Personnel security • Security awareness, training and education. Readings • Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required). • Benson, C., “Security Planning.” (Required) http://technet.microsoft.com/en-us/library/cc723503.aspx • Johnson, M. E. and Goetz, E., “Embedding Information Security into the Organization,” IEEE Security & Privacy, May/June 2007, pp. 16-24. • ISO, “Organization of Information Security,” http://www.iso27001security.com/ISO27k_Organization_of_i nformation_security.rtf • PriceWaterhouseCooper, “The Global State of Information Security Survey,” 2005. Organizational Security Policy Organizational Design Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Operational System Development and Maintenance Physical and Environmental Security Communications & Operations Mgmt. Business Continuity Management Security Management Practice Security Governance. Security Policies, Procedures, Standards, Guidelines, and Baselines. Security Planning. Security Organization. Personnel Security. Security Audit and Control. Security Awareness, Training and Education. Risk Assessment and Management. Professional Ethics. Principles of Organizational Design • Strategic Alignment. • Organization structure - Functional vs. Matrix – Span of control – hierarchy – Reporting relationship (governmance) • Job descriptions • Staffing and skill requirements (training) • Grading (reward structure) • Clarity about the boundaries with other organizational groups Alsbridge, "Designing Your Organization for BPO and Shared Services." http://www.sourcingmag.com/content/c070219a.asp Principles of Organizational Design • Strategic Alignment. • Organization structure - Functional vs. Matrix – Span of control – hierarchy – Reporting relationship (governmance) • Job descriptions • Staffing and skill requirements (training) • Grading (reward structure) • Clarity about the boundaries with other organizational groups Alsbridge, "Designing Your Organization for BPO and Shared Services." http://www.sourcingmag.com/content/c070219a.asp Information Security Planning • Planning reduces the likelihood that the organization will be reactionary toward the security needs. • Security planning involves developing security policies and implementing controls to prevent computer risks from becoming reality. • The risk assessment provides a baseline for implementing security plans to protect assets against various threats. Hierarchy of Security Planning • Strategic Planning (3-5 years). Strategic plans are aligned with the strategic business and IT goals. They provide the vision for projects to achieve the business objectives. The plans should be reviewed annually or whenever major change to the business occur. • Tactical Planning (6-18 months). Tactical plans provide the broad initiatives to support and achieve the goals specified in the strategic plans. • Operational and Project Planning. Specific plans with milestones, dates and accountabilities provide the communication and direction to ensure that the individual projects are completed. Type of Security Planning Proactive Planning: • Develop security policies and controls. • Implement tools and techniques to aid in security. - Secure access, secure data, and secure code. - Techniques for network security – firewall, VPN. - Detection tools. • Implement technologies to keep the system running in the event of a failure. Reactive Planning: • Develop a contingency plan. Examples of Security Plan • The Department of Housing and Urban Development, SYSTEM SECURITY PLAN (SSP) TEMPLATE. http://www.nls.gov/offices/cio/sdm/devlife/tempchecks/maste mplate.doc • California State University, Chico. http://www.csuchico.edu/ires/security/documents/Information %20Security%20Plan%20052009%20v5_1.pdf • Sample Security Plan – Adventure Works. Benson, C., “Security Planning.” (Required) http://technet.microsoft.com/en-us/library/cc723503.aspx Johnson, M. E. and Goetz, E., “Embedding Information Security into the Organization,” IEEE Security & Privacy, May/June 2007, pp. 16-24. Security Related People Security is the responsibility of everyone within the organization. Related people include • • • • • • • • • • Executive management. Chief information security officer (CISO). Information systems security professional. Data /information / business owner. Information systems auditor. Information systems / IT professional. Systems / network / security administrator. Help desk administrator. Administrative assistant / secretaries. End users. CISO Responsibilities Communicate risks to executive management. Budget for information security activities. Ensure development of policies, procedures, baselines, standards, and guidelines. Develop and provide security awareness program. Understand business objectives. Maintain awareness of emerging threats and vulnerabilities. Evaluate security incidents and response. Develop security compliance program. Establish security metrics. Participate in management meetings. Ensure compliance with governmental regulations. Assist internal and external auditors. Stay abreast of emerging technologies. CISO Reporting Models • Reporting to the CEO. • Reporting to the information technology (IT) department. • Reporting to corporate security. • Report to the administrative services department. • Report to the insurance and risk management department. • Reporting to the internal audit department. • Reporting to the legal department. What are the pros and cons of each reporting model? To Whom CISO Report Legal Counsel Chief Privacy Risk Management CSO Other Internal Audit Security Committee COO CFO VP CTO CIO (Independent) Boarder of Dirs CIO (Integrated) CEO 2% 2% 3% 3% 4% 4% 4% 4% 4% 5% 5% PWC Global State of Information Security Survey2005 8% 12% 18% 21% 0% 5% 10% 15% 20% 25% Organization of Information security Executive Committee Chaired by the Chief Executive Officer Audit Committee Chaired by Head of Audit Security Committee Chaired by Chief Security Officer CSO Information Security Manager Risk Committee Chaired by Risk Manager Local Security Committees One per location Security Administration Policy & Compliance Information Asset Owners (IAOs) Risk & Contingency Management Security Operations Site Security Managers (http://www.iso27001security.com/) Security Guards Facilities Management Information Security Organization CEO CTO CFO COO CIO Legal/Chief CPO Corp Sec Director Information Security Division SPOCS Policy compliance Technology security operations Risk management (Johnson and Goetz, 2007) What are They? • CEO: Chief Executive Officer. • CFO: Chief Financial Officer. • CTO: Chief Technology Officer. • CIO: Chief Information Officer • COO: Chief Operating Officer. • CISO: Chief Information Security Officer. • CSO: Chief Security Officer. • CPO: Chief Privacy Officer. Information Security Organization Board IA CEO CFO CTO Real Estate Workplace Service Security Office CIO LB LB Business IT IT Infrastructure Health & Safety Global security Workplace security Supply chain security (Johnson and Goetz, 2007) CISO Business information security manager Strategy, architecture And consulting Host network security Program process manager Incident management Compliance management Incident Management Information Security Training & Awareness Director of Security Risk Management Critical Infrastructure Protection & Service Continuity Security Infrastructure & Technical Support Security Infrastructure & Technical Support Standards, Policies and Procedures Information Security Organization Security Advisory Group Administration Assistant Security Organization Best Practice • Job rotation. Job rotation reduce the risk of collusion of activities between individuals. • Separation of duties. One individual should not have the capability to execute all of the Steps of a particular process. • Least privilege (need to know). Granting users only the accesses that are required to perform their job functions. • Mandatory vacations. Requiring mandatory vacations of a specified consecutive-day period. • Job position sensitivity. The access and duties of an individual for a particular department should be assess to determine the sensitivity of the position. Separation of Duties The same individual should not typically perform the following functions: • • • • • • • • • Systems administration Network management Data entry Computer operations Security administration Systems development and maintenance Security auditing Information systems management Change management Personnel Security – Hiring Practices Managing the people aspect of security, from pre employment to post employment, is critical to ensure trustworthy, competent resources are employed to further the business objectives that will protect the company information. • • • • • • Developing job descriptions. Developing confidentiality agreements. Contacting references – Reference checks. Screening/investigating background. Ongoing supervision and periodic performance reviews. Determining policies on vendor, contractor, consultant and temporary staff access. • Employee terminations need different levels of care. Background Checks Background checks can uncover the following problems: • Gaps in employment. • Misrepresentation of job titles. • Job duties. • Salary. • Reasons for leaving a job. • Validity and status of professional certification. • Education verification and degrees obtained. • Credit history. • Driving records. • Criminal history. • Personal references. • Social security number verification Special Types of Background Checks • Individuals involved in technology. • Individuals with access to confidential or sensitive information. • Employees with access to company proprietary or competitive data. • Positions working with accounts payable, receivables, or payroll. • Positions dealing directly with the public. • Employees working for healthcare industry-based organizations or organizations dealing with financial information. • Positions involving driving a motor vehicle. • Employees who will come in contact with children. Elements of Professional Development (NIST, SP 800-100) The IT Security Learning Continuum Manage Acquire Design & Develop Implement & Operate Review & Evaluate Use Security Basics & Literacy Security Awareness (NIST, SP 800-100) Security Awareness Provide the understanding of the importance of security within an organization. Inform employees about their roles, and expectations surrounding their roles, in the observance of information security requirements. Provide guidance surrounding the performance of particular security or risk management function, as well as provide information surrounding the security or risk management functions in general. Educate users in the fulfillment of its security program objectives, which may also include audit objectives for organizations that are bound by regulatory compliance (e.g., HIPPA, the Sarbanes-Oxley Act). Topics for Security Awareness • Corporate security policies. • Organization’s security program. • Regulatory compliance requirements. • Social engineering. • Business continuity. • Disaster recovery. • Emergency management. • Security incidence response. • Data classification. • Information labeling and handling. • Personnel security, safety and soundness. • Physical security. • Appropriate computing resource use. • Proper care and handling of security credentials • Risk assessment. • Accidents, errors or omissions. Awareness Activities and Methods • • • • • • • • • Formalized courses, face-to-face or online. Use of posters to call attention to aspects of security. Conduct business units walk-through. Use intranet to post security reminders or host security column. Appointment of security awareness mentors. Sponsor a security awareness day. Sponsor an event with an external partner. Provide trinkets for users that support security principles. Provide security management videos, books, web sites, and collateral for references. Selected Professional Education Certified Information Systems Security Professional (CISSP), (ISC)2 http://www.isc2.org/ Systems Security Certified Practitioner (SSCP), (ISC)2. http://www.isc2.org/ Certified Information Systems Auditor (CISA), ISACA. http://www.isaca.org/ Certified Information Security Manager (CISM), ISACA. http://www.isaca.org/ Global Information Assurance Certification (GIAC), SANS Institute. http://www.giac.org/ Potential Practical Projects • Develop an information security plan. • Review and propose a security organization redesign. • Develop a security hiring plan. - Write a job description for a security position. - Write an advertisement for a security job. • Develop a security background check program. • Develop a security awareness plan / program. • Develop a security training plan / program.