740 likes | 935 Views
ITC358 ICT Management and Information Security. Chapter 5 Developing the Security Program. We trained hard… but every time we formed up teams we would be reorganised. I was to learn that we meet any new situation by reorganising. And a wonderful method it can be for creating the
E N D
ITC358ICT Management and Information Security Chapter 5 Developing the Security Program We trained hard… but every time we formed up teams we would be reorganised. I was to learn that we meet any new situation by reorganising. And a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency, and demoralisation. – Petronius Arbiter, Roman Writer and Satirist, 210 B.C.
Objectives • Upon completion of this material you should be able to: • Explain the organisational approaches to information security • List and describe the functional components of an information security program • Determine how to planand staff an organisation’s information security program based on its size
Objectives (cont’d.) • Upon completion of this material you should be able to: (cont’d.) • Evaluate the internal and external factors that influence the activities and organisation of an information security program • List and describe the typical job titles and functions performed in the information security program
Objectives (cont’d.) • Upon completion of this material you should be able to: (cont’d.) • Describe the components of a security education, training, and awareness program and explain how organisations create and manage these programs
Introduction • Some organisations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security • The term “information security program” is used here to describe the structure and organisationof the effort that contains risks to the information assets of the organisation
Organising for Security • Variables involved in structuring an information security program • Organisational culture • Size • Security personnel budget • Security capital budget • As organisations increase in size: • Their security departments are not keeping up with increasingly complex organisational infrastructures
Organising for Security (cont’d.) • Information security departments tend to form internal groups • To meet long-term challenges and handle day-to-day security operations • Functions are likely to be split into groups • Smaller organisations typically create fewer groups • Perhaps having only one general group of specialists
Organising for Security (cont’d.) • Very large organisations • More than 10,000 computers • Security budgets often grow faster than IT budgets • Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organisation • Small organisations spend more than $5,000 per user on security; very large organisations spend about 1/18th of that, roughly $300 per user
Organising for Security (cont’d.) • Very large organisations (cont’d.) • Does a better job in the policy and resource management areas • Only 1/3 of organisations handled incidents according to an IR plan • Large organisations • Have 1,000 to 10,000 computers • Security approach has often matured, integrating planning and policy into the organisation’s culture
Organising for Security (cont’d.) • Large organisations (cont’d.) • Do not always put large amounts of resources into security • Considering the vast numbers of computers and users often involved • They tend to spend proportionally less on security
Security in Large Organisations • One approach separates functions into four areas: • Functions performed by non-technology business units outside of IT • Functions performed by IT groups outside of information security area • Functions performed within information security department as customer service • Functions performed within the information security department as compliance
Security in Large Organisations (cont’d.) • The CISO has responsibility for information security functions • Should be adequately performed somewhere within the organisation • The deployment of full-time security personnel depends on: • Sensitivity of the information to be protected • Industry regulations • General profitability
Security in Large Organisations (cont’d.) • The more money the company can dedicate to its personnel budget • The more likely it is to maintain a large information security staff
Security in Large Organisations (cont’d.) Figure 5-1 Example of information security staffing in a large organisation
Security in Large Organisations (cont’d.) Figure 5-2 Example of information security staffing in a very large organisation
Security in Medium-Sized Organisations • Medium-sized organisations • Have between 100 and 1000 computers • Have a smaller total budget • Have same sized security staff as the small organisation, but a larger need • Must rely on help from IT staff for plans and practices • Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size
Security in Medium-Sized Organisations (cont’d.) • Medium-sized organisations (cont’d.) • May be large enough to implement a multi-tiered approach to security • With fewer dedicated groups and more functions assigned to each group • Tend to ignore some security functions
Security in Medium-Sized Organisations (cont’d.) Figure 5-3 Example of information security staffing in a medium-sized organisation
Security in Small Organisations • Small organisations • Have between 10 and 100 computers • Have a simple, centralised IT organisational model • Spend disproportionately more on security • Information security is often the responsibility of a single security administrator • Have little in the way of formal policy, planning, or security measures
Security in Small Organisations (cont’d.) • Small organisations (cont’d.) • Commonly outsource their Web presence or electronic commerce operations • Security training and awareness is commonly conducted on a 1-on-1 basis • Policies (when they exist) are often issue-specific • Formal planning is often part of IT planning • Threats from insiders are less likely • Every employee knows every other employee
Security in Small Organisations (cont’d.) Figure 5-4 Example of information security staffing in a smaller organisation Source: Course Technology/Cengage Learning
Placing Information Security Within An Organisation • In large organisations • InfoSec is often located within the information technology department • Headed by the CISO who reports directly to the top computing executive, or CIO • An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole
Placing Information Security Within An Organisation (cont’d.) • Because the goals and objectives of the CIO and the CISO may come in conflict • It is not difficult to understand the current movement to separate information security from the IT division • The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest
Placing Information Security Within an Organisation (cont’d.) Source: From Information Security Roles and Responsibilities Made Easy, used with permission. Figure 5-5 Wood’s Option 1: Information security reports to information technology department
Placing Information Security Within an Organisation (cont’d.) Source: From Information Security Roles and Responsibilities Made Easy, used with permission. Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department
Placing Information Security Within an Organisation (cont’d.) Source: From Information Security Roles and Responsibilities Made Easy, used with permission. Figure 5-7 Wood’s Option 3: Information security reports to administrative services department
Placing Information Security Within an Organisation (cont’d.) Source: From Information Security Roles and Responsibilities Made Easy, used with permission. Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department
Placing Information Security Within an Organisation (cont’d.) Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department Source: From Information Security Roles and Responsibilities Made Easy, used with permission.
Placing Information Security Within an Organisation (cont’d.) • Other options • Option 6: Legal • Option 7: Internal audit • Option 8: Help desk • Option 9: Accounting and finance through IT • Option 10: Human resources • Option 11: Facilities management • Option 12: Operations
Components of the Security Program • Organisation’s information security needs • Unique to the culture, size, and budget of the organisation • Determining what level the information security program operates on depends on the organisation’s strategic plan • Also the plan’s vision and mission statements • The CIO and CISO should use these two documents to formulate the mission statement for the information security program
Information Security Roles and Titles • Types of information security positions • Those that define • Provide the policies, guidelines, and standards • Do the consulting and the risk assessment • Develop the product and technical architectures • Senior people with a lot of broad knowledge, but often not a lot of depth • Those that build • The real “techies” who create and install security solutions
Information Security Roles and Titles (cont’d.) • Types of information security positions (cont’d.) • Those that administer • Operate and administer the security tools and the security monitoring function • Continuously improve the processes • A typical organisation has a number of individuals with information security responsibilities
Information Security Roles and Titles (cont’d.) • While the titles used may be different, most of the job functions fit into one of the following: • Chief Information Security Officer (CISO) or Chief Security Officer (CSO) • Security managers • Security administrators and analysts • Security technicians • Security staff
Information Security Roles and Titles (cont’d.) Figure 5-10 Information security roles Source: Course Technology/Cengage Learning
Help Desk Personnel • Help desk • An important part of the information security team • Enhances the security team’s ability to identify potential problems • When a user calls the help desk with a complaint , the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus
Help Desk Personnel (cont’d.) • Help desk (cont’d.) • Because help desk technicians perform a specialised role in information security, they have a need for specialised training
Implementing Security Education, Training, and Awareness Programs • SETA program • Designed to reduce accidental security breaches • Consists of three elements: security education, security training, and security awareness • Awareness, training, and education programs offer two major benefits: • Improving employee behavior • Enabling the organisation to hold employees accountable for their actions
Implementing SETAPrograms (cont’d.) • Purpose of SETA is to enhance security: • By building in-depth knowledge, to design, implement, or operate security programs for organisations and systems • By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely • By improving awareness of the need to protect system resources
Implementing SETAPrograms (cont’d.) Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/. Table 5-3 Framework of security education, training and awareness
Security Education • Employees within information security may be encouraged to seek a formal education • If not prepared by their background or experience • A number of institutions of higher learning, including colleges and universities, provide formal coursework in information security
Security Education (cont’d.) • A knowledge map • Can help potential students assess information security programs • Identifies the skills and knowledge clusters obtained by the program’s graduates • Creating the map can be difficult because many academics are unaware of the numerous subdisciplines within the field of information security • Each of which may have different knowledge requirements
Security Education (cont’d.) Figure 5-11 Information security knowledge map Source: Course Technology/Cengage Learning
Security Education (cont’d.) • Depth of knowledge • Indicated by a level of mastery using an established taxonomy of learning objectives or a simple scale such as “understanding → accomplishment → proficiency → mastery.” • Because many institutions have no frame of reference for which skills and knowledge are required for a particular job area • They may refer to the certifications offered in that field
Security Education (cont’d.) • Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains • From which individual courses can be created • Course design • Should enable a student to obtain the required knowledge and skills upon completion of the program • Identify the prerequisite knowledge for each class
Security Education (cont’d.) Figure 5-12 Technical course progression Source: Course Technology/Cengage Learning
Security Training • Involves providing detailed information and hands-on instruction • To develop user skills to perform their duties securely • Management can either develop customised training or outsource
Security Training (cont’d.) • Customising training for users • By functional background • General user • Managerial user • Technical user • By skill level • Novice • Intermediate • Advanced
Training Techniques • Using the wrong method • Can hinder the transfer of knowledge • Leading to unnecessary expense and frustrated, poorly trained employees • Good training programs • Take advantage of the latest learning technologies and best practices
Training Techniques (cont’d.) • Recent developments • Less use of centralised public courses and more on-site training • Training is often for one or a few individuals • Waiting until there is a large-enough group for a class can cost companies lost productivity • Other best practices • Increased use of short, task-oriented modules • Available during the normal work week
Training Techniques (cont’d.) • Selection of the training delivery method • Not always based on the best outcome for the trainee • Often overriden by budget, scheduling, and needs of the organisation • Types of delivery methods • One-on-one • Formal class • Computer-based training (CBT)