1 / 45

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 5: Developing the Security Program. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Course Assignments. Threat Presentation: One of the 2016 Predicted Threats Term Paper

judybowen
Télécharger la présentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 5: Developing the Security Program You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Course Assignments • Threat Presentation: • One of the 2016 Predicted Threats • Term Paper • 1500 Executive Summary focusing on a specific security topic (e.g. HIPAA, Information Assurance, etc.) • Demo Presentation • During final exam time, present on a security related software that may be used by organizations

  3. Policy “The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems”

  4. Policy • Explains the will of the organization’s management in controlling the behavior of employees

  5. Bulls-eye Model

  6. Policy, Standards, and Practices • Policy & Types • Enterprise • Issue-specific • Systems-specific • Standards • Practices

  7. Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for organization’s security efforts • Assigns responsibilities for various areas of information security • Examples: • http://uncw.edu/policies/it.html • http://doit.maryland.gov/support/pages/securitypolicies.aspx

  8. Issue-Specific Security Policy (ISSP) • Provides detailed, targeted guidance • Protects organization from inefficiency and ambiguity • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use • Examples at UNCW: • Email Abuse

  9. System-Specific Security Policy • System-specific security policies (SysSPs) frequently do not look like other types of policy • SysSPs can be separated into: • Management guidance • Created by management to guide the implementation and configuration of technology • Example: Lifecycle Replacement • Technical specifications • Implementing managerial policy through access controls and configuration rules • Example: Access to Information Resources and Data

  10. Technical Specifications SysSPs: Case Study Disaster at a University: A Case Study in Information Security Overview Issue People Involved Approach and Resolution Outcomes Conclusion

  11. Guidelines for Effective Policy • For policies to be effective, they must be properly: • Developed • Distributed or disseminated • Reviewed or read • Understood • Formally agreed to • Uniformly applied and enforced

  12. A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy.

  13. Introduction: Information Security Program Information security program is used to describe the structure and organization of the effort that contains risks to the information assets of the organization UNCW Info Security Program

  14. Organizing for Security • Variables involved in structuring an information security program • Culture • Budgets • Size • As organizations increase in size, their security departments are not keeping up with increasingly complex organizational infrastructures

  15. Does Size Matter? :Approaches to Programs • Larger Organization • Medium Sized Organization • Small Business

  16. Security: Very Large Organizations Security budgets often grow faster than IT budgets Even with a large budget, the average amount spent on security per user is still smaller than any other type of organization

  17. Security: Large Organizations Security approach has often matured, integrating planning and policy into the organization’s culture One approach separates functions into four areas: • Non-technology business units outside of IT • IT groups outside of information security area • Information Security Dept. (customer service) • Information Security Dept. (compliance)

  18. Security: Large Organizations (cont’d.) • The CISO has responsibility for information security functions • The deployment of full-time security personnel depends on: • Sensitivity of the information to be protected • Industry regulations • General profitability • Budgetary Constraints

  19. Security: Medium-Sized Organizations • May be large enough to implement a multi-tiered approach to security • Tend to ignore some security functions

  20. Security: Small Organizations • Simple, centralized IT organizational model • Spend disproportionately more on security • Formal policy, planning, or security measures • Commonly outsource functions • Threats from insiders are less likely • Every employee knows every other employee

  21. Components of the Security Program • Organization’s information security needs • Unique to the culture, size, and budget of the organization • Determining what level the information security program operates on depends on the organization’s strategic plan • Also the plan’s vision and mission statements • The CIO and CISO should use these two documents to formulate the mission statement for the information security program

  22. Information Security Roles and Titles • Types of information security positions • Those that define • Those that build • Those that administer • A typical organization has a number of individuals with information security responsibilities

  23. Information Security Roles and Titles (cont’d.) • While the titles used may be different, most of the job functions fit into one of the following: • Chief Information Security Officer (CISO) or Chief Security Officer (CSO) • Security managers • Security administrators and analysts • Security technicians • Security staff • Help Desk

  24. Information Security Roles and Titles (cont’d.)

  25. Implementing Security Education, Training, and Awareness Programs • SETA program • Benefits • Purpose: Enhance Security

  26. SETA: Security Education • Employees within information security may be encouraged to seek a formal education • Depth of knowledge • Some organizations may refer to the certifications offered in that field

  27. SETA: Security Education Developing Education Program • Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains • Course design • Should enable a student to obtain the required knowledge and skills upon completion of the program • Identify the prerequisite knowledge for each class

  28. SETA: Security Training • Involves providing detailed information and hands-on instruction • Management can either develop customized training or outsource • Customizing training for users: • Functional Background • Skill Level

  29. SETA: Training Techniques • Using the wrong method can hinder the transfer of knowledge • Good training programs • Training is often for one or a few individuals

  30. SETA: Training Techniques (cont’d.) • Selection of the training delivery method • Not always based on the best outcome for the trainee

  31. SETA: Security Awareness • Less frequently implemented, but most effective security methods • Security awareness programs: • Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure • Remind users of the procedures to be followed

  32. SETA: Security Awareness (cont’d.) • Best practices: • Focus on people • Refrain from using technical jargon • Use every available venue • Define learning objectives, state them clearly, and provide sufficient detail and coverage • Keep things light • Don’t overload the users • Help users understand their roles in InfoSec • Take advantage of in-house communications media • Make the awareness program formal • Plan and document all actions • Provide good information early, rather than perfect information late

  33. SETA: Security Awareness (cont’d.) • Commandments of information security awareness training • Information security is a people issue • Speak their language • If they cannot see it, they will not learn it • Make your point, support it, and conclude it • Always let the recipients know how the behavior that you request will affect them • Formalize your training methodology • Always be timely

  34. SETA: Security Awareness (cont’d.) • Commandments of information security awareness training • Information security is a people issue • Speak their language • If they cannot see it, they will not learn it • Make your point, support it, and conclude it • Always let the recipients know how the behavior that you request will affect them • Formalize your training methodology • Always be timely

  35. SETA: Security Awareness (cont’d.) • Designed to modify any employee behavior that endangers the security of the organization’s information • Effective programs make employees accountable for their actions • Dissemination and enforcement of policy become easier • Demonstrating due care and due diligence can help indemnify the institution against lawsuits

  36. SETA: Security Awareness (cont’d.) • Awareness can take on different forms for particular audiences • A security awareness program can use many methods to deliver its message • Recognize that people tend to practice a tuning out process (acclimation)

  37. SETA: Security Awareness (cont’d.) • Many security awareness components are available at little or no cost • Others can be very expensive • Examples of security awareness components • Videos • Another One • Another One • Posters and banners • Lectures and conferences • Computer-based training • Serious Games • Nova Labs • Other Games

  38. Management of Information Security, 3rd ed. Security Awareness (cont’d.) • Examples of security awareness components (cont’d.) • Newsletters • Brochures and flyers • Trinkets (coffee cups, pens, pencils, T-shirts) • Bulletin boards

  39. Security Awareness (cont’d.) • Security poster series • A simple and inexpensive way to keep security on people’s minds • Keys to a good poster series: • Varying the content and keeping posters updated • Keeping them simple, but visually interesting • Making the message clear • Providing information on reporting violations

  40. Security Awareness (cont’d.) • Trinket programs • Inexpensive on a per-unit basis • They can be expensive to distribute • Types of trinkets • Pens and pencils, mouse pads • Coffee mugs, plastic cups • Hats, T-shirts

  41. Security Awareness (cont’d.) • Organizations can establish Web pages or sites dedicated to promoting information security awareness • Tips on creating and maintaining an educational Web site (cont’d.) • Keep page loading time to a minimum • Seek feedback • Assume nothing and check everything • Spend time promoting your site

  42. Discussion Topics Discuss the advantages and disadvantages of nesting the information security role within the information technology (IT) part of the organization. Discuss posters, trinkets, and Web sites as information security awareness methods. What are some advantages and disadvantages of each method? Which do you think is the best method and why?

  43. Useful Resources • Building an SETA program • Microsoft Security Awareness

  44. Summary • Organizing for security • Placing information security within an organization • Components of the security program • Information security roles and titles • Implementing security education, training, and awareness programs

  45. Reminders • Next Week • Assessment #1 – Submit before midnight on 2/17 • Demo Project – Start to brainstorm

More Related