Information Security Organization

Report
Security Organization
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
IST 515
Objectives
This module will familiarize you with the following:
• Security planning
• Responsibilities of the chief information security
officer (CISO).
• Security organizational structure - reporting
models.
 What is the most effectively security structure
within an organization?
• Security organization best practices.
• Personnel security
• Security awareness, training and education.
Readings
• Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the
CISSP CBK, Auerbach, 2007. Domain 1 (Required).
• Benson, C., “Security Planning.” (Required)
http://technet.microsoft.com/en-us/library/cc723503.aspx
• Johnson, M. E. and Goetz, E., “Embedding Information
Security into the Organization,” IEEE Security & Privacy,
May/June 2007, pp. 16-24.
• ISO, “Organization of Information Security,”
http://www.iso27001security.com/ISO27k_Organization_of_i
nformation_security.rtf
• PriceWaterhouseCooper, “The Global State of Information
Security Survey,” 2005.
Organizational
Security Policy
Organizational
Design
Asset Classification
and Control
Access Control
Compliance
Personnel Security
Awareness Education
Operational
System Development
and Maintenance
Physical and
Environmental Security
Communications &
Operations Mgmt.
Business Continuity
Management
Security Management Practice









Security Governance.
Security Policies, Procedures, Standards,
Guidelines, and Baselines.
Security Planning.
Security Organization.
Personnel Security.
Security Audit and Control.
Security Awareness, Training and Education.
Risk Assessment and Management.
Professional Ethics.
Principles of Organizational Design
• Strategic Alignment.
• Organization structure - Functional vs. Matrix
– Span of control – hierarchy
– Reporting relationship (governmance)
• Job descriptions
• Staffing and skill requirements (training)
• Grading (reward structure)
• Clarity about the boundaries with other organizational
groups
Alsbridge, "Designing Your Organization for BPO and Shared Services."
http://www.sourcingmag.com/content/c070219a.asp
Principles of Organizational Design
• Strategic Alignment.
• Organization structure - Functional vs. Matrix
– Span of control – hierarchy
– Reporting relationship (governmance)
• Job descriptions
• Staffing and skill requirements (training)
• Grading (reward structure)
• Clarity about the boundaries with other organizational
groups
Alsbridge, "Designing Your Organization for BPO and Shared Services."
http://www.sourcingmag.com/content/c070219a.asp
Information Security Planning
• Planning reduces the likelihood that the
organization will be reactionary toward the
security needs.
• Security planning involves developing security
policies and implementing controls to prevent
computer risks from becoming reality.
• The risk assessment provides a baseline for
implementing security plans to protect assets
against various threats.
Hierarchy of Security Planning
• Strategic Planning (3-5 years). Strategic plans are aligned
with the strategic business and IT goals. They provide the
vision for projects to achieve the business objectives. The
plans should be reviewed annually or whenever major
change to the business occur.
• Tactical Planning (6-18 months). Tactical plans provide
the broad initiatives to support and achieve the goals
specified in the strategic plans.
• Operational and Project Planning. Specific plans with
milestones, dates and accountabilities provide the
communication and direction to ensure that the individual
projects are completed.
Type of Security Planning
Proactive Planning:
• Develop security policies and controls.
• Implement tools and techniques to aid in security.
- Secure access, secure data, and secure code.
- Techniques for network security – firewall, VPN.
- Detection tools.
• Implement technologies to keep the system running
in the event of a failure.
Reactive Planning:
• Develop a contingency plan.
Examples of Security Plan
• The Department of Housing and Urban Development,
SYSTEM SECURITY PLAN (SSP) TEMPLATE.
http://www.nls.gov/offices/cio/sdm/devlife/tempchecks/maste
mplate.doc
• California State University, Chico.
http://www.csuchico.edu/ires/security/documents/Information
%20Security%20Plan%20052009%20v5_1.pdf
• Sample Security Plan – Adventure Works.
Benson, C., “Security Planning.” (Required)
http://technet.microsoft.com/en-us/library/cc723503.aspx
Johnson, M. E. and Goetz, E., “Embedding Information
Security into the Organization,” IEEE Security & Privacy,
May/June 2007, pp. 16-24.
Security Related People
Security is the responsibility of everyone within the
organization. Related people include
•
•
•
•
•
•
•
•
•
•
Executive management.
Chief information security officer (CISO).
Information systems security professional.
Data /information / business owner.
Information systems auditor.
Information systems / IT professional.
Systems / network / security administrator.
Help desk administrator.
Administrative assistant / secretaries.
End users.
CISO Responsibilities






Communicate risks to
executive management.
Budget for information security
activities.
Ensure development of
policies, procedures, baselines,
standards, and guidelines.
Develop and provide security
awareness program.
Understand business objectives.
Maintain awareness of
emerging threats and
vulnerabilities.







Evaluate security incidents and
response.
Develop security compliance
program.
Establish security metrics.
Participate in management
meetings.
Ensure compliance with
governmental regulations.
Assist internal and external
auditors.
Stay abreast of emerging
technologies.
CISO Reporting Models
• Reporting to the CEO.
• Reporting to the information technology (IT)
department.
• Reporting to corporate security.
• Report to the administrative services department.
• Report to the insurance and risk management
department.
• Reporting to the internal audit department.
• Reporting to the legal department.
What are the pros and cons of each reporting model?
To Whom CISO Report
Legal Counsel
Chief Privacy
Risk Management
CSO
Other
Internal Audit
Security Committee
COO
CFO
VP
CTO
CIO (Independent)
Boarder of Dirs
CIO (Integrated)
CEO
2%
2%
3%
3%
4%
4%
4%
4%
4%
5%
5%
PWC Global State of Information
Security Survey2005
8%
12%
18%
21%
0%
5%
10%
15%
20%
25%
Organization of
Information
security
Executive Committee
Chaired by the Chief
Executive Officer
Audit Committee
Chaired by Head of
Audit
Security Committee
Chaired by Chief
Security Officer CSO
Information
Security
Manager
Risk Committee
Chaired by Risk
Manager
Local Security
Committees
One per location
Security
Administration
Policy &
Compliance
Information Asset
Owners (IAOs)
Risk &
Contingency
Management
Security
Operations
Site Security
Managers
(http://www.iso27001security.com/)
Security
Guards
Facilities
Management
Information Security Organization
CEO
CTO
CFO
COO
CIO
Legal/Chief
CPO
Corp Sec
Director
Information Security
Division SPOCS
Policy compliance
Technology security operations
Risk management
(Johnson and Goetz, 2007)
What are They?
• CEO: Chief Executive Officer.
• CFO: Chief Financial Officer.
• CTO: Chief Technology Officer.
• CIO: Chief Information Officer
• COO: Chief Operating Officer.
• CISO: Chief Information Security Officer.
• CSO: Chief Security Officer.
• CPO: Chief Privacy Officer.
Information Security Organization
Board
IA
CEO
CFO
CTO
Real Estate
Workplace Service
Security
Office
CIO
LB
LB
Business IT
IT Infrastructure
Health & Safety
Global security
Workplace security
Supply chain security
(Johnson and Goetz, 2007)
CISO
Business information
security manager
Strategy, architecture
And consulting
Host network security
Program process manager
Incident management
Compliance management
Incident Management
Information Security
Training & Awareness
Director of
Security
Risk Management
Critical Infrastructure
Protection &
Service Continuity
Security Infrastructure
& Technical Support
Security Infrastructure
& Technical Support
Standards, Policies
and Procedures
Information Security Organization
Security Advisory Group
Administration Assistant
Security Organization Best Practice
• Job rotation. Job rotation reduce the risk of collusion of
activities between individuals.
• Separation of duties. One individual should not have the
capability to execute all of the Steps of a particular process.
• Least privilege (need to know). Granting users only the
accesses that are required to perform their job functions.
• Mandatory vacations. Requiring mandatory vacations of a
specified consecutive-day period.
• Job position sensitivity. The access and duties of an individual
for a particular department should be assess to determine the
sensitivity of the position.
Separation of Duties
The same individual should not typically perform
the following functions:
•
•
•
•
•
•
•
•
•
Systems administration
Network management
Data entry
Computer operations
Security administration
Systems development and maintenance
Security auditing
Information systems management
Change management
Personnel Security – Hiring Practices
Managing the people aspect of security, from pre employment
to post employment, is critical to ensure trustworthy,
competent resources are employed to further the business
objectives that will protect the company information.
•
•
•
•
•
•
Developing job descriptions.
Developing confidentiality agreements.
Contacting references – Reference checks.
Screening/investigating background.
Ongoing supervision and periodic performance reviews.
Determining policies on vendor, contractor, consultant and
temporary staff access.
• Employee terminations need different levels of care.
Background Checks
Background checks can uncover the following problems:
• Gaps in employment.
• Misrepresentation of job titles.
• Job duties.
• Salary.
• Reasons for leaving a job.
• Validity and status of professional certification.
• Education verification and degrees obtained.
• Credit history.
• Driving records.
• Criminal history.
• Personal references.
• Social security number verification
Special Types of Background Checks
• Individuals involved in technology.
• Individuals with access to confidential or sensitive
information.
• Employees with access to company proprietary or
competitive data.
• Positions working with accounts payable, receivables, or
payroll.
• Positions dealing directly with the public.
• Employees working for healthcare industry-based
organizations or organizations dealing with financial
information.
• Positions involving driving a motor vehicle.
• Employees who will come in contact with children.
Elements of Professional Development
(NIST, SP 800-100)
The IT Security Learning Continuum
Manage
Acquire
Design & Develop
Implement & Operate
Review & Evaluate
Use
Security Basics & Literacy
Security Awareness
(NIST, SP 800-100)
Security Awareness

Provide the understanding of the importance of security
within an organization.
 Inform employees about their roles, and expectations
surrounding their roles, in the observance of information
security requirements.
 Provide guidance surrounding the performance of particular
security or risk management function, as well as provide
information surrounding the security or risk management
functions in general.
 Educate users in the fulfillment of its security program
objectives, which may also include audit objectives for
organizations that are bound by regulatory compliance
(e.g., HIPPA, the Sarbanes-Oxley Act).
Topics for Security Awareness
• Corporate security policies.
• Organization’s security
program.
• Regulatory compliance
requirements.
• Social engineering.
• Business continuity.
• Disaster recovery.
• Emergency management.
• Security incidence response.
• Data classification.
• Information labeling and
handling.
• Personnel security, safety
and soundness.
• Physical security.
• Appropriate computing
resource use.
• Proper care and handling of
security credentials
• Risk assessment.
• Accidents, errors or
omissions.
Awareness Activities and Methods
•
•
•
•
•
•
•
•
•
Formalized courses, face-to-face or online.
Use of posters to call attention to aspects of security.
Conduct business units walk-through.
Use intranet to post security reminders or host security
column.
Appointment of security awareness mentors.
Sponsor a security awareness day.
Sponsor an event with an external partner.
Provide trinkets for users that support security principles.
Provide security management videos, books, web sites,
and collateral for references.
Selected Professional Education

Certified Information Systems Security Professional
(CISSP), (ISC)2 http://www.isc2.org/

Systems Security Certified Practitioner (SSCP),
(ISC)2. http://www.isc2.org/

Certified Information Systems Auditor (CISA),
ISACA. http://www.isaca.org/

Certified Information Security Manager (CISM),
ISACA. http://www.isaca.org/

Global Information Assurance Certification (GIAC),
SANS Institute. http://www.giac.org/
Potential Practical Projects
• Develop an information security plan.
• Review and propose a security organization
redesign.
• Develop a security hiring plan.
- Write a job description for a security position.
- Write an advertisement for a security job.
• Develop a security background check program.
• Develop a security awareness plan / program.
• Develop a security training plan / program.

similar documents