230 likes | 459 Views
Information Systems Security Officer. CS 996: Information Security Management Pavel Margolin 4/20/05. Overview. Who is an ISSO? Duties and Responsibilities Planning Establishing the CIAPP InfoSec Functions InfoSec in the Government. Who is an ISSO?.
E N D
Information Systems Security Officer CS 996: Information Security Management Pavel Margolin 4/20/05
Overview • Who is an ISSO? • Duties and Responsibilities • Planning • Establishing the CIAPP • InfoSec Functions • InfoSec in the Government
Who is an ISSO? • ISSO – Information Systems Security Officer • Reports to the Chief Information Officer (CIO), who reports to the CEO. • Leader of the Information Security (InfoSec) organization. • Qualifications • Manage and organize people • Communicate to upper management without much technical details • Have enough technical expertise to understand systems and make decisions
Duties and Responsibilities • Establishing and enforcing Corporate Information Assets Protection Program (CIAPP) • Managing people • Managing the business of CIAPP • Managing CIAPP processes • Hiring InfoSec staff • Report to upper management
Planning • Strategic Plan (ISSSP) • Compatible with Strategic Business Plan • Long-term direction, goals, and objectives • Tactical Plan (ITP) • Short-range plan • Supports CIAPP and InfoSec functional goals and objectives • Annual Plan (IAP) • Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP • Plan of projects for the year
Establishing the CIAPP • Reasons for the CIAPP • Corporate vision, mission, and quality statements • Corporate strategic, tactical, and annual business plans • InfoSec vision, mission and quality statements • InfoSec strategic, tactical and annual business plans • Information and systems legal, ethical, and best business practices • Overall information assets protection plans, policies, and procedures • Current CIAPP-related and InfoSec policies • Current CIAPP-related and InfoSec procedures • Other topics as deemed appropriate by the ISSO
Laws Regulations Business Practices Ethics • Risk Assessments • Vulnerability assessments • Threat Assessments • Limited Risk assessments • Risk analyses • Best InfoSec Practices CIAPP Process Costs Profits Sales Public Relations Stockholders’ value Business Decisions InfoSec Policies InfoSec Procedures InfoSec Processes CIAPP
Example CIAPP Requirements and Policy Directive • Introduction Section • Purpose Section • Scope Section • Responsibilities • Requirements Section • Identifying the value of the information • Access to information systems • Access to specific applications and files • Audit trails and their review • Reporting and response in the event of a violation • Minimum protection requirements for the hardware, firmware and software • Requirements for InfoSec procedures at other departments and lower levels of the corporation • Physical Security • Optional if Physical Security is handled by the Director of Security
InfoSec Functions • Processes • Valuing Information • Awareness • Access Control • Evaluation of all hardware, firmware and software • Risk Management • Security Tests and evaluations program • Noncompliance Inquiries • Contingency and emergency planning and disaster recovery program (CEP-DR)
Function Drivers • Requirements-Drivers • Customers • Contracts • InfoSec Custodians • Users • Management • Audits • Tests & Evaluations • Other employees • Laws • Regulations • Non-compliance Inquiries • Investigations • Trade articles • Technical Bulletings • Business Plans • ISSO’s plans • Best business practices • Best InfoSec practices • ISSO Organizational Functions • Identification of InfoSec requirements • Access control • Non-compliance Inquiries (NCI) • Disaster Recovery/Emergency Planning • Tests and Evaluations • Intranet Security • Internet and Web Site Security • Security Applications Protection • Security Software Development • Software Interface InfoSec Evaluations • Access Control Violations Analysis • Systems’ Approvals • CIAPP Awareness and Training • Contractual Compliance Inspections • InfoSec Risk Management CIAPP ISSO’s CIAPP organizational requirements Responsibilities Charter
InfoSec in the Government • National Security Classified Information • Confidential – loss of this information can cause damage to national security • Secret – loss of this information can cause serious damage to national security • Top Secret – loss of this information can cause grave damage to national security • Black/Compartmented – Granted on a need to know (NTK) basis. Ex: Sensitive Compartmented Information (SCI). • Unclassified • For Official Use Only • Unclassified but Sensitive Information • Unclassified
InfoSec Requirements in the Government • InfoSec policy – laws, rules, practices that regulate how organizations handle national security data. • Accountability – assigning responsibility and accountability to individuals or groups who deal with national security information • Assurance – guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy • Documentation – records how a system is structured, its functions and how the system was designed
InfoSec Objectives in the Government • Protect and defend all information used by an AIS (automated information system) • Prevent unauthorized access, modification, damage, destruction, or DoS • Provide assurances of: • Compliance with government and contractual obligations and agreements • Confidentiality of all classified information • Integrity of information and related processes • Availability of information • Usage by authorized personnel only of the information and AIS • Identification and elimination of fraud, waste, and abuse
ISSO at Gov’t Agencies • Maintain a plan site security improvement • Ensure IS systems are operated, used, maintained and disposed of properly • Ensure IS systems are certified and accredited • Ensure users and personnel have required security clearances, authorization, NTK, and are familiar with internal security practices • Enforce security policies and safeguards on personnel having access to an IS • Ensure audit trails are reviewed periodically • Initiate protective and corrective measures • Report security incidents in accordance with agency specific policy • Report the security status of the IS • Evaluate know vulnerabilities to determine if additional security is needed
Levels of Performance • Entry Level • Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance. • Intermediate Level • For a new system architecture, investigate and document system security technology, policies and training requirements to assure system operation at a specified level of assurance • Advanced Level • For an accreditation action, analyze and evaluate system security technology, policy and training requirements in support of upper management. The analysis will include a description of the management/technology team required to successfully complete the accreditation process
Duties of Gov’t ISSO • Develop Certification and Accreditation Posture • Plan for Certification and Accreditation • Create CIA Policy • Control Systems Policy • Culture and Ethics • Incidence Response • Implement Site Security Policy • Provide CIA • Ensure Facility is approved • Manage Operations of Information Systems • Regulate General Principles • Access Control, Training, Awareness, Legal aspects, CC, etc • Security Management • Access Controls • Human Access • Key Management • Incident Response
Duties (continued) • Enforce and verify system security policy • CIA and Accountability • Security Management • Access Controls • Automated Security Tools • Handling Media • Incident Response • Report on site security Status • Security Continuity Reporting • Report Security Incidents • Law • Report Security Status of IS as required by upper management • Report to Inspector General (IG)
Duties (continued) • Support Certification and Accreditation • Certification Functions • Accreditation Functions • Respond to upper management requests
References • Kovacich, Dr. Gerald L., “The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program” • “Information Assurance Training Standard for Information Systems Security Officers” http://www.cnss.gov/instructions.html