Upload
constance-williams
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
MANAGEMENT of INFORMATION SECURITY Third Edition
Chapter 5Developing the Security Program
We trained hard… but every time we formed up teams we would be reorganized. I was to learn that we meet any new situation by reorganizing. And a wonderful method it can be for creating the
illusion of progress while producing confusion, inefficiency, and demoralization. – Petronius Arbiter, Roman Writer and Satirist, 210 B.C.
Objectives
• Upon completion of this material you should be able to:– Explain the organizational approaches to
information security– List and describe the functional components of
an information security program– Determine how to plan and staff an
organization’s information security program based on its size
Management of Information Security, 3rd ed. 2
Objectives (cont’d.)
• Upon completion of this material you should be able to: (cont’d.)– Evaluate the internal and external factors that
influence the activities and organization of an information security program
– List and describe the typical job titles and functions performed in the information security program
Management of Information Security, 3rd ed. 3
Objectives (cont’d.)
• Upon completion of this material you should be able to: (cont’d.)– Describe the components of a security
education, training, and awareness program and explain how organizations create and manage these programs
Management of Information Security, 3rd ed. 4
Introduction
• Some organizations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security– The term “information security program” is
used here to describe the structure and organization of the effort that contains risks to the information assets of the organization
Management of Information Security, 3rd ed. 5
Organizing for Security
• Variables involved in structuring an information security program– Organizational culture– Size– Security personnel budget– Security capital budget
• As organizations increase in size:– Their security departments are not keeping up
with increasingly complex organizational infrastructures
Management of Information Security, 3rd ed. 6
Organizing for Security (cont’d.)
• Information security departments tend to form internal groups – To meet long-term challenges and handle day-
to-day security operations
• Functions are likely to be split into groups
• Smaller organizations typically create fewer groups– Perhaps having only one general group of
specialists
Management of Information Security, 3rd ed. 7
Organizing for Security (cont’d.)
• Very large organizations– More than 10,000 computers– Security budgets often grow faster than IT
budgets– Even with a large budgets, the average
amount spent on security per user is still smaller than any other type of organization
• Small organizations spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user
Management of Information Security, 3rd ed. 8
Organizing for Security (cont’d.)
• Very large organizations (cont’d.)– Does a better job in the policy and resource
management areas– Only 1/3 of organizations handled incidents
according to an IR plan
• Large organizations– Have 1,000 to 10,000 computers – Security approach has often matured,
integrating planning and policy into the organization’s culture
Management of Information Security, 3rd ed. 9
• Large organizations (cont’d.)– Do not always put large amounts of resources
into security• Considering the vast numbers of computers and
users often involved
– They tend to spend proportionally less on security
Organizing for Security (cont’d.)
Management of Information Security, 3rd ed. 10
Security in Large Organizations
• One approach separates functions into four areas:– Functions performed by non-technology
business units outside of IT– Functions performed by IT groups outside of
information security area– Functions performed within information
security department as customer service– Functions performed within the information
security department as compliance
Management of Information Security, 3rd ed. 11
• The CISO has responsibility for information security functions – Should be adequately performed somewhere
within the organization
• The deployment of full-time security personnel depends on:– Sensitivity of the information to be protected– Industry regulations– General profitability
Security in Large Organizations (cont’d.)
Management of Information Security, 3rd ed. 12
• The more money the company can dedicate to its personnel budget– The more likely it is to maintain a large
information security staff
Security in Large Organizations (cont’d.)
Management of Information Security, 3rd ed. 13
Security in Large Organizations (cont’d.)
Figure 5-1 Example of information security staffing in a large organization
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 14
Security in Large Organizations (cont’d.)
Figure 5-2 Example of information security staffing in a very large organization
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 15
Security in Medium-Sized Organizations
• Medium-sized organizations– Have between 100 and 1000 computers– Have a smaller total budget– Have same sized security staff as the small
organization, but a larger need– Must rely on help from IT staff for plans and
practices– Ability to set policy, handle incidents, and
effectively allocate resources is worse than any other size
Management of Information Security, 3rd ed. 16
Security in Medium-Sized Organizations (cont’d.)
• Medium-sized organizations (cont’d.)– May be large enough to implement a multi-
tiered approach to security• With fewer dedicated groups and more functions
assigned to each group
– Tend to ignore some security functions
Management of Information Security, 3rd ed. 17
Security in Medium-Sized Organizations (cont’d.)
Figure 5-3 Example of information security staffing in a medium-sized organization
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 18
Security in Small Organizations
• Small organizations– Have between 10 and 100 computers– Have a simple, centralized IT organizational
model– Spend disproportionately more on security– Information security is often the responsibility
of a single security administrator– Have little in the way of formal policy, planning,
or security measures
Management of Information Security, 3rd ed. 19
Security in Small Organizations (cont’d.)
• Small organizations (cont’d.)– Commonly outsource their Web presence or
electronic commerce operations – Security training and awareness is commonly
conducted on a 1-on-1 basis– Policies (when they exist) are often issue-
specific – Formal planning is often part of IT planning – Threats from insiders are less likely
• Every employee knows every other employee
Management of Information Security, 3rd ed. 20
Security in Small Organizations (cont’d.)
Figure 5-4 Example of information security staffing in a smaller organization
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 21
Placing Information Security Within An Organization
• In large organizations – InfoSec is often located within the information
technology department• Headed by the CISO who reports directly to the top
computing executive, or CIO
• An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole
Management of Information Security, 3rd ed. 22
Placing Information Security Within An Organization (cont’d.)
• Because the goals and objectives of the CIO and the CISO may come in conflict– It is not difficult to understand the current
movement to separate information security from the IT division
– The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest
Management of Information Security, 3rd ed. 23
Placing Information Security Within an Organization (cont’d.)
Source: From Information Security Roles and Responsibilities Made Easy, used with permission.
Figure 5-5 Wood’s Option 1: Information security reports to information technology department
Management of Information Security, 3rd ed. 24
Placing Information Security Within an Organization (cont’d.)
Source: From Information Security Roles and Responsibilities Made Easy, used with permission.
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department
Management of Information Security, 3rd ed. 25
Placing Information Security Within an Organization (cont’d.)
Source: From Information Security Roles and Responsibilities Made Easy, used with permission.
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department
Management of Information Security, 3rd ed. 26
Placing Information Security Within an Organization (cont’d.)
Source: From Information Security Roles and Responsibilities Made Easy, used with permission.
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department
Management of Information Security, 3rd ed. 27
Placing Information Security Within an Organization (cont’d.)
Source: From Information Security Roles and Responsibilities Made Easy, used with permission.
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department
Management of Information Security, 3rd ed. 28
Placing Information Security Within an Organization (cont’d.)
• Other options– Option 6: Legal– Option 7: Internal audit – Option 8: Help desk – Option 9: Accounting and finance through IT – Option 10: Human resources – Option 11: Facilities management – Option 12: Operations
Management of Information Security, 3rd ed. 29
Components of the Security Program
• Organization’s information security needs– Unique to the culture, size, and budget of the
organization– Determining what level the information security
program operates on depends on the organization’s strategic plan
• Also the plan’s vision and mission statements• The CIO and CISO should use these two
documents to formulate the mission statement for the information security program
Management of Information Security, 3rd ed. 30
Information Security Roles and Titles
• Types of information security positions– Those that define
• Provide the policies, guidelines, and standards • Do the consulting and the risk assessment• Develop the product and technical architectures• Senior people with a lot of broad knowledge, but
often not a lot of depth
– Those that build• The real “techies” who create and install security
solutions
Management of Information Security, 3rd ed. 31
Information Security Roles and Titles (cont’d.)
• Types of information security positions (cont’d.)– Those that administer
• Operate and administer the security tools and the security monitoring function
• Continuously improve the processes
• A typical organization has a number of individuals with information security responsibilities
Management of Information Security, 3rd ed. 32
• While the titles used may be different, most of the job functions fit into one of the following:– Chief Information Security Officer (CISO) or
Chief Security Officer (CSO)– Security managers– Security administrators and analysts– Security technicians– Security staff
Information Security Roles and Titles (cont’d.)
Management of Information Security, 3rd ed. 33
Information Security Roles and Titles (cont’d.)
Figure 5-10 Information security roles
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 34
Help Desk Personnel
• Help desk– An important part of the information security
team – Enhances the security team’s ability to identify
potential problems– When a user calls the help desk with a
complaint , the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus
Management of Information Security, 3rd ed. 35
Help Desk Personnel (cont’d.)
• Help desk (cont’d.)– Because help desk technicians perform a
specialized role in information security, they have a need for specialized training
Management of Information Security, 3rd ed. 36
Implementing Security Education, Training, and Awareness Programs• SETA program
– Designed to reduce accidental security breaches
– Consists of three elements: security education, security training, and security awareness
• Awareness, training, and education programs offer two major benefits:– Improving employee behavior– Enabling the organization to hold employees
accountable for their actions
Management of Information Security, 3rd ed. 37
Implementing SETAPrograms (cont’d.)
• Purpose of SETA is to enhance security:– By building in-depth knowledge, to design,
implement, or operate security programs for organizations and systems
– By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely
– By improving awareness of the need to protect system resources
Management of Information Security, 3rd ed. 38
Source: National Institute of Standards and Technology. An Introduction to Computer Security: The
NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.
Implementing SETAPrograms (cont’d.)
Table 5-3 Framework of security education, training and awareness
Management of Information Security, 3rd ed. 39
Security Education
• Employees within information security may be encouraged to seek a formal education– If not prepared by their background or
experience– A number of institutions of higher learning,
including colleges and universities, provide formal coursework in information security
Management of Information Security, 3rd ed. 40
Security Education (cont’d.)
• A knowledge map– Can help potential students assess information
security programs– Identifies the skills and knowledge clusters
obtained by the program’s graduates– Creating the map can be difficult because
many academics are unaware of the numerous subdisciplines within the field of information security
• Each of which may have different knowledge requirements
Management of Information Security, 3rd ed. 41
Source: Course Technology/Cengage Learning
Figure 5-11 Information security knowledge map
Security Education (cont’d.)
Management of Information Security, 3rd ed. 42
• Depth of knowledge– Indicated by a level of mastery using an
established taxonomy of learning objectives or a simple scale such as “understanding → accomplishment → proficiency → mastery.”
• Because many institutions have no frame of reference for which skills and knowledge are required for a particular job area– They may refer to the certifications offered in
that field
Security Education (cont’d.)
Management of Information Security, 3rd ed. 43
• Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains– From which individual courses can be created
• Course design– Should enable a student to obtain the required
knowledge and skills upon completion of the program
– Identify the prerequisite knowledge for each class
Security Education (cont’d.)
Management of Information Security, 3rd ed. 44
Source: Course Technology/Cengage Learning
Figure 5-12 Technical course progression
Security Education (cont’d.)
Management of Information Security, 3rd ed. 45
Security Training
• Involves providing detailed information and hands-on instruction – To develop user skills to perform their duties
securely
• Management can either develop customized training or outsource
Management of Information Security, 3rd ed. 46
Security Training (cont’d.)
• Customizing training for users– By functional background
• General user • Managerial user• Technical user
– By skill level• Novice• Intermediate• Advanced
Management of Information Security, 3rd ed. 47
Training Techniques
• Using the wrong method– Can hinder the transfer of knowledge
• Leading to unnecessary expense and frustrated, poorly trained employees
• Good training programs– Take advantage of the latest learning
technologies and best practices
Management of Information Security, 3rd ed. 48
Training Techniques (cont’d.)
• Recent developments– Less use of centralized public courses and
more on-site training
• Training is often for one or a few individuals– Waiting until there is a large-enough group for
a class can cost companies lost productivity
• Other best practices– Increased use of short, task-oriented modules
• Available during the normal work week
Management of Information Security, 3rd ed. 49
Training Techniques (cont’d.)
• Selection of the training delivery method– Not always based on the best outcome for the
trainee• Often overridden by budget, scheduling, and needs
of the organization
• Types of delivery methods– One-on-one– Formal class– Computer-based training (CBT)
Management of Information Security, 3rd ed. 50
Training Techniques (cont’d.)
• Types of delivery methods (cont’d.)– Distance learning/web seminars– User support group– On-the-job training– Self-study (non-computerized)
Management of Information Security, 3rd ed. 51
• Training methods– Use a local training program– Use a continuing education department– Use another external training agency– Hire a professional trainer, a consultant, or
someone from an accredited institution to conduct on-site training
– Organize and conduct training in-house using organization’s own employees
Training Techniques (cont’d.)
Management of Information Security, 3rd ed. 52
Implementing Training
• Seven-step methodology generally applies:– Step 1: Identify program scope, goals, and
objectives– Step 2: Identify training staff– Step 3: Identify target audiences– Step 4: Motivate management and employees– Step 5: Administer the program– Step 6: Maintain the program– Step 7: Evaluate the program
Management of Information Security, 3rd ed. 53
Security Awareness
• One of the least frequently implemented, but most effective security methods is the security awareness program
• Security awareness programs: – Set the stage for training by changing
organizational attitudes to realize the importance of security and the adverse consequences of its failure
– Remind users of the procedures to be followed
Management of Information Security, 3rd ed. 54
Security Awareness (cont’d.)
• Best practices– Focus on people – Refrain from using technical jargon– Use every available venue – Define learning objectives, state them clearly,
and provide sufficient detail and coverage– Keep things light– Don’t overload the users – Help users understand their roles in InfoSec
Management of Information Security, 3rd ed. 55
Security Awareness (cont’d.)
• Best practices (cont’d.)– Take advantage of in-house communications
media – Make the awareness program formal
• Plan and document all actions
– Provide good information early, rather than perfect information late
Management of Information Security, 3rd ed. 56
• The ten commandments of information security awareness training– Information security is a people, rather than a
technical, issue– If you want them to understand, speak their
language– If they cannot see it, they will not learn it– Make your point so that you can identify it and
so can they.– Never lose your sense of humor
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 57
• The ten commandments of information security awareness training (cont’d.)– Make your point, support it, and conclude it– Always let the recipients know how the
behavior that you request will affect them– Ride the tame horses– Formalize your training methodology– Always be timely, even if it means slipping
schedules to include urgent information
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 58
• Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization’s information– Security training and awareness activities can
be undermined if management does not set a good example
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 59
• Effective training and awareness programs make employees accountable for their actions
• Dissemination and enforcement of policy become easier when training and awareness programs are in place
• Demonstrating due care and due diligence can help indemnify the institution against lawsuits
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 60
• Awareness can take on different forms for particular audiences
• A security awareness program can use many methods to deliver its message
• Recognize that people tend to practice a tuning out process (acclimation)– Awareness techniques should be creative and
frequently changed
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 61
Security Awareness (cont’d.)
• Many security awareness components are available at little or no cost – Others can be very expensive
• Examples of security awareness components– Videos– Posters and banners– Lectures and conferences– Computer-based training
Management of Information Security, 3rd ed. 62
Security Awareness (cont’d.)
• Examples of security awareness components (cont’d.)– Newsletters– Brochures and flyers– Trinkets (coffee cups, pens, pencils, T-shirts)– Bulletin boards
Management of Information Security, 3rd ed. 63
• Security newsletter – A cost-effective way to disseminate security
information– Newsletters can be in the form of hard copy, e-
mail, or intranet– Topics can include threats to the organization’s
information assets, schedules for upcoming security classes, and the addition of new security personnel
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 64
• Security newsletter (cont’d.)– The goal is to keep the idea of information
security uppermost in users’ minds and to stimulate them to care about security
– Newsletters might include:• Summaries of key policies• Summaries of key news articles• A calendar of security events, including training
sessions, presentations, and other activities• Announcements relevant to information security• How-to’s
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 65
Security Awareness (cont’d.)
Figure 5-13 SETA awareness components: Newsletters
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 66
• Security poster series – A simple and inexpensive way to keep security
on people’s minds– Professional posters can be quite expensive,
so in-house development may be the best solution
– Keys to a good poster series:• Varying the content and keeping posters updated • Keeping them simple, but visually interesting• Making the message clear• Providing information on reporting violations
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 67
Security Awareness (cont’d.)
Figure 5-14 SETA awareness components: Posters
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 68
Security Awareness (cont’d.)
• Trinket programs– Inexpensive on a per-unit basis– They can be expensive to distribute
• Types of trinkets– Pens and pencils, mouse pads– Coffee mugs, plastic cups– Hats, T-shirts
• The messages trinket programs impart will be lost unless reinforced by other means
Management of Information Security, 3rd ed. 69
Security Awareness (cont’d.)
Figure 5-15 SETA awareness components: Trinkets
Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed. 70
Security Awareness (cont’d.)
• Organizations can establish Web pages or sites dedicated to promoting information security awareness– The challenge lies in updating the messages
frequently enough to keep them fresh
• Tips on creating and maintaining an educational Web site– See what’s already out there– Plan ahead
Management of Information Security, 3rd ed. 71
Security Awareness (cont’d.)
• Tips on creating and maintaining an educational Web site (cont’d.)– Keep page loading time to a minimum– Seek feedback– Assume nothing and check everything– Spend time promoting your site
Management of Information Security, 3rd ed. 72
• Security awareness conference– Have a guest speaker or even a mini-
conference dedicated to the topic• Perhaps in association with the semi-annual
National Computer Security Days: October 31 and April 4
Security Awareness (cont’d.)
Management of Information Security, 3rd ed. 73
Summary
• Introduction
• Organizing for security
• Placing information security within an organization
• Components of the security program
• Information security roles and titles
• Implementing security education, training, and awareness programs
Management of Information Security, 3rd ed. 74