Management of Information Management of Information Security Security Chapter 1: Chapter 1: Introduction to the Introduction to the Management of Management of Information Security Information Security If this is the information If this is the information superhighway, it’s superhighway, it’s going through a lot of bad, bad going through a lot of bad, bad neighborhoods. neighborhoods. -- -- DORIAN BERGER, 1997 DORIAN BERGER, 1997
41
Embed
Management of Information Security Chapter 1: Introduction to the Management of Information Security If this is the information superhighway, it’s going.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Management of Information SecurityManagement of Information Security
Chapter 1:Chapter 1:
Introduction to the Introduction to the Management ofManagement of
Information SecurityInformation Security
If this is the information superhighway, If this is the information superhighway, it’sit’s
going through a lot of bad, bad going through a lot of bad, bad neighborhoods.neighborhoods.
-- -- DORIAN BERGER, 1997DORIAN BERGER, 1997
Management of Information Security Management of Information Security 22
IntroductionIntroduction
Information technology is critical to Information technology is critical to business and society business and society
Computer security is evolving into Computer security is evolving into information securityinformation security
Information security is the responsibility Information security is the responsibility of every member of an organization, but of every member of an organization, but managers play a critical rolemanagers play a critical role
Management of Information Security Management of Information Security 33
IntroductionIntroduction
Information security involves three Information security involves three distinct communities of interest:distinct communities of interest:
– Information Information securitysecurity managers and managers and professionals professionals
– Information Information technologytechnology managers and managers and professionals professionals
– Non-technical Non-technical businessbusiness managers and managers and professionals professionals
Management of Information Security Management of Information Security 44
Communities of InterestCommunities of Interest
InfoSec community: protect InfoSec community: protect information assets from threatsinformation assets from threats
IT community: support business IT community: support business objectives by supplying appropriate objectives by supplying appropriate information technologyinformation technology
Business community: policy and Business community: policy and resourcesresources
Management of Information Security Management of Information Security 55
What Is Security?What Is Security?
““The quality or state of being secureThe quality or state of being secure—to be free from danger” —to be free from danger”
Security is achieved using several Security is achieved using several strategies simultaneouslystrategies simultaneously
Management of Information Security Management of Information Security 66
Specialized Areas of SecuritySpecialized Areas of Security
Physical securityPhysical security
Personal securityPersonal security
Operations securityOperations security
Communications securityCommunications security
Network securityNetwork security
Information Security (InfoSec)Information Security (InfoSec)
Computer SecurityComputer Security
Management of Information Security Management of Information Security 77
Information SecurityInformation Security
InfoSec includes information security InfoSec includes information security management, computer security, management, computer security, data security, and network securitydata security, and network security
Policy is central to all information Policy is central to all information security effortssecurity efforts
Management of Information Security Management of Information Security 88
FIGURE 1-1FIGURE 1-1Components of Information Components of Information
SecuritySecurity
Management of Information Security Management of Information Security 99
CIA TriangleCIA TriangleThe C.I.A. triangle is made up of: The C.I.A. triangle is made up of:
– Confidentiality Confidentiality
– IntegrityIntegrity
– AvailabilityAvailability
Over time the list of characteristics has Over time the list of characteristics has expanded, but these three remain expanded, but these three remain centralcentral
Management of Information Security Management of Information Security 1010
Management of Information Security Management of Information Security 1111
Key Concepts of Information Key Concepts of Information SecuritySecurity
ConfidentialityConfidentiality– Confidentiality of information ensures that Confidentiality of information ensures that
only those with sufficient privileges may only those with sufficient privileges may access certain informationaccess certain information
– To protect confidentiality of information, a To protect confidentiality of information, a number of measures may be used number of measures may be used including:including:
Information classificationInformation classification
Secure document storageSecure document storage
Application of general security policiesApplication of general security policies
Education of information custodians and end Education of information custodians and end usersusers
Management of Information Security Management of Information Security 1212
Key Concepts of Information Key Concepts of Information SecuritySecurity
Integrity Integrity
– Integrity is the quality or state of being Integrity is the quality or state of being whole, complete, and uncorruptedwhole, complete, and uncorrupted
– The integrity of information is threatened The integrity of information is threatened when it is exposed to corruption, when it is exposed to corruption, damage, destruction, or other disruption damage, destruction, or other disruption of its authentic stateof its authentic state
– Corruption can occur while information is Corruption can occur while information is being compiled, stored, or transmittedbeing compiled, stored, or transmitted
Management of Information Security Management of Information Security 1313
Key Concepts of Information Key Concepts of Information SecuritySecurity
Availability Availability
– Availability is making information accessible Availability is making information accessible to user access without interference or to user access without interference or obstruction in the required formatobstruction in the required format
– A user in this definition may be either a A user in this definition may be either a person or another computer systemperson or another computer system
– Availability means availability to authorized Availability means availability to authorized usersusers
Management of Information Security Management of Information Security 1414
Key Concepts of Information Key Concepts of Information SecuritySecurity
PrivacyPrivacy
– Information is to be used only for purposes Information is to be used only for purposes known to the data ownerknown to the data owner
– This does not focus on freedom from This does not focus on freedom from observation, but rather that information observation, but rather that information will be used only in ways known to the will be used only in ways known to the ownerowner
Management of Information Security Management of Information Security 1515
Key Concepts of Information Key Concepts of Information SecuritySecurity
IdentificationIdentification
– Information systems possess the Information systems possess the characteristic of identification when they are characteristic of identification when they are able to recognize individual usersable to recognize individual users
– Identification and authentication are Identification and authentication are essential to establishing the level of access essential to establishing the level of access or authorization that an individual is grantedor authorization that an individual is granted
Management of Information Security Management of Information Security 1616
Key Concepts of Information Key Concepts of Information SecuritySecurity
AuthenticationAuthentication
– Authentication occurs when a control Authentication occurs when a control provides proof that a user possesses the provides proof that a user possesses the identity that he or she claimsidentity that he or she claims
Management of Information Security Management of Information Security 1717
Key Concepts of Information Key Concepts of Information SecuritySecurity
AuthorizationAuthorization
– After the identity of a user is After the identity of a user is authenticated, a process called authenticated, a process called authorization provides assurance that the authorization provides assurance that the user (whether a person or a computer) user (whether a person or a computer) has been specifically and explicitly has been specifically and explicitly authorized by the proper authority to authorized by the proper authority to access, update, or delete the contents of access, update, or delete the contents of an information assetan information asset
Management of Information Security Management of Information Security 1818
Key Concepts of Information Key Concepts of Information SecuritySecurity
AccountabilityAccountability
– The characteristic of accountability The characteristic of accountability exists when a control provides exists when a control provides assurance that every activity assurance that every activity undertaken can be attributed to a undertaken can be attributed to a named person or automated process named person or automated process
Management of Information Security Management of Information Security 1919
What Is Management?What Is Management?A process of achieving objectives A process of achieving objectives using a given set of resourcesusing a given set of resources
To manage the information security To manage the information security process, first understand core process, first understand core principles of managementprinciples of management
A manager is “someone who works A manager is “someone who works with and through other people by with and through other people by coordinating their work activities in coordinating their work activities in order to accomplish organizational order to accomplish organizational goals” goals”
Management of Information Security Management of Information Security 2020
Managerial RolesManagerial RolesInformational role: Collecting, Informational role: Collecting, processing, and using information to processing, and using information to achieve the objectiveachieve the objective
Interpersonal role: Interacting with Interpersonal role: Interacting with superiors, subordinates, outside superiors, subordinates, outside stakeholders, and other stakeholders, and other
Decisional role: Selecting from Decisional role: Selecting from alternative approaches and resolving alternative approaches and resolving conflicts, dilemmas, or challengesconflicts, dilemmas, or challenges
Management of Information Security Management of Information Security 2121
Differences Between Differences Between Leadership and ManagementLeadership and ManagementThe leader influences employees so that The leader influences employees so that they are willing to accomplish objectivesthey are willing to accomplish objectives
He or she is expected to lead by example He or she is expected to lead by example and demonstrate personal traits that instill and demonstrate personal traits that instill a desire in others to followa desire in others to follow
Leadership provides purpose, direction, Leadership provides purpose, direction, and motivation to those that followand motivation to those that follow
Management of Information Security Management of Information Security 2222
A Manager administer the resources A Manager administer the resources of the organization byof the organization by– Creating budgetsCreating budgets– Authorizes expendituresAuthorizes expenditures– Hires employeesHires employees
A Manager can also be a leader.A Manager can also be a leader.
Management of Information Security Management of Information Security 2323
Characteristics of a LeaderCharacteristics of a Leader
1.1.BearingBearing
2.2.Courage Courage
3.3.Decisiveness Decisiveness
4.4.Dependability Dependability
5.5.Endurance Endurance
6.6.Enthusiasm Enthusiasm
7.7.Initiative Initiative
8.8.Integrity Integrity
9.9.Judgment Judgment
10.10.Justice Justice
11.11.Knowledge Knowledge
12.12.LoyaltyLoyalty
13.13.Tact Tact
14.14.UnselfishnessUnselfishness
Management of Information Security Management of Information Security 2424
What Makes a Good Leader?What Makes a Good Leader?
Action plan for improvement of Action plan for improvement of leadership abilities leadership abilities 1.1. Knows and seeks self-improvementKnows and seeks self-improvement
2.2. Be technically and tactically proficientBe technically and tactically proficient
3.3. Seek responsibility and take Seek responsibility and take responsibility for your actionsresponsibility for your actions
4.4. Make sound and timely decisionsMake sound and timely decisions
5.5. Set the exampleSet the example
6.6. Knows [subordinates] and looks out for Knows [subordinates] and looks out for their well-beingtheir well-being
Management of Information Security Management of Information Security 2525
What Makes a Good Leader? What Makes a Good Leader? (Continued)(Continued)
Action plan for improvement of Action plan for improvement of leadership abilities leadership abilities 7.7. Keeps subordinates informedKeeps subordinates informed
8.8. Develops a sense of responsibility in Develops a sense of responsibility in subordinatessubordinates
9.9. Ensures the task is understood, Ensures the task is understood, supervised, and accomplishedsupervised, and accomplished
10.10.Builds the teamBuilds the team
11.11.Employs a team in accordance with its Employs a team in accordance with its capabilitiescapabilities
Management of Information Security Management of Information Security 2626
Behavioral Types of LeadersBehavioral Types of LeadersThree basic behavioral types of leaders: Three basic behavioral types of leaders:
– Autocratic- action-oriented, “Do as I say” Autocratic- action-oriented, “Do as I say”
– Democratic – action-oriented and likely to be Democratic – action-oriented and likely to be less efficientless efficient
Management of Information Security Management of Information Security 2727
Characteristics of ManagementCharacteristics of ManagementTwo well-known approaches to Two well-known approaches to management: management:
– Traditional management theory using Traditional management theory using principles of planning, organizing, staffing, principles of planning, organizing, staffing, directing, and controlling (POSDC)directing, and controlling (POSDC)
– Popular management theory categorizes Popular management theory categorizes principles of management into planning, principles of management into planning, organizing, leading, and controlling (POLC)organizing, leading, and controlling (POLC)
Management of Information Security Management of Information Security 2828
PlanningPlanningPlanning: process that develops, Planning: process that develops, creates, and implements strategies creates, and implements strategies for the accomplishment of objectivesfor the accomplishment of objectives
Three levels of planning: Three levels of planning:
– Strategic – occurs at highest level of Strategic – occurs at highest level of organizationorganization
– Tactical – focuses on production planning and Tactical – focuses on production planning and integrates organizational resourcesintegrates organizational resources
– Operational – focuses on day-to-day operations Operational – focuses on day-to-day operations of local resourcesof local resources
Management of Information Security Management of Information Security 2929
Planning (Continued)Planning (Continued)
In general, planning begins with the In general, planning begins with the strategic plan for the whole strategic plan for the whole organizationorganization
– To do this successfully, organization To do this successfully, organization must thoroughly define its goals and must thoroughly define its goals and objectivesobjectives
Management of Information Security Management of Information Security 3030
OrganizationOrganizationOrganization: is a principle of management Organization: is a principle of management dedicated to structuring of resources to support dedicated to structuring of resources to support the accomplishment of objectivesthe accomplishment of objectives
Management of Information Security Management of Information Security 3131
LeadershipLeadership
Encourages the implementation of the Encourages the implementation of the planning and organizing functions, planning and organizing functions, including supervising employee including supervising employee behavior, performance, attendance, and behavior, performance, attendance, and attitudeattitude
Leadership generally addresses the Leadership generally addresses the direction and motivation of the human direction and motivation of the human resourceresource
Management of Information Security Management of Information Security 3232
– Making necessary adjustments to achieve the Making necessary adjustments to achieve the desired objectivesdesired objectives
Controlling function determines what Controlling function determines what must be monitored as well using specific must be monitored as well using specific control tools to gather and evaluate control tools to gather and evaluate informationinformation
Management of Information Security Management of Information Security 3333
Solving ProblemsSolving Problems
All managers face problems that must All managers face problems that must be solved.be solved.
Step 1: Recognize and Define the ProblemStep 1: Recognize and Define the Problem
Step 2: Gather Facts and Make AssumptionsStep 2: Gather Facts and Make Assumptions
Step 3: Develop Possible SolutionsStep 3: Develop Possible Solutions
Step 4: Analyze and Compare the Possible Step 4: Analyze and Compare the Possible Solutions Solutions
Step 5: Select, Implement, and Evaluate a Solution Step 5: Select, Implement, and Evaluate a Solution
Management of Information Security Management of Information Security 3434
Principles Of Information Security Principles Of Information Security ManagementManagement
Information security management is part of the Information security management is part of the organizational management team.organizational management team.
The extended characteristics of information security The extended characteristics of information security are known as the six Ps:are known as the six Ps:
– PlanningPlanning
– PolicyPolicy
– ProgramsPrograms
– ProtectionProtection
– PeoplePeople
– Project ManagementProject Management
Management of Information Security Management of Information Security 3535
InfoSec PlanningInfoSec PlanningPlanning as part of InfoSec Planning as part of InfoSec management is an extension of the management is an extension of the basic planning model discussed earlier basic planning model discussed earlier in this chapterin this chapter
Included in the InfoSec planning model Included in the InfoSec planning model are activities necessary to support the are activities necessary to support the design, creation, and implementation design, creation, and implementation of information security strategies as of information security strategies as they exist within the IT planning they exist within the IT planning environment environment
Management of Information Security Management of Information Security 3636
InfoSec Planning TypesInfoSec Planning Types
Several types of InfoSec plans exist:Several types of InfoSec plans exist:– Incident responseIncident response– Business continuityBusiness continuity– Disaster recoveryDisaster recovery– PolicyPolicy– PersonnelPersonnel– Technology rollout Technology rollout – Risk management and Risk management and – Security program including education, Security program including education,
training and awarenesstraining and awareness
Management of Information Security Management of Information Security 3737
PolicyPolicy
Policy: set of organizational guidelines Policy: set of organizational guidelines that dictates certain behavior within the that dictates certain behavior within the organizationorganization
In InfoSec, there are three general In InfoSec, there are three general categories of policy: categories of policy:
– General program policy (Enterprise Security General program policy (Enterprise Security Policy)Policy)
– An issue-specific security policy (ISSP) An issue-specific security policy (ISSP)
Management of Information Security Management of Information Security 3838
ProgramsPrograms
Programs: specific entities managed Programs: specific entities managed in the information security domainin the information security domain
A security education training and A security education training and awareness (SETA) program is one awareness (SETA) program is one such entitysuch entity
Other programs that may emerge Other programs that may emerge include a physical security program, include a physical security program, complete with fire, physical access, complete with fire, physical access, gates, guards, and so ongates, guards, and so on
Management of Information Security Management of Information Security 3939
ProtectionProtection
Risk management activities, including Risk management activities, including risk assessment and control, as well as risk assessment and control, as well as protection mechanisms, technologies, protection mechanisms, technologies, and toolsand tools
Each of these mechanisms represents Each of these mechanisms represents some aspect of the management of some aspect of the management of specific controls in the overall specific controls in the overall information security planinformation security plan
Management of Information Security Management of Information Security 4040
PeoplePeoplePeople are the most critical link in the People are the most critical link in the information security programinformation security program
It is imperative that managers It is imperative that managers continuously recognize the crucial role continuously recognize the crucial role that people playthat people play
Including information security personnel Including information security personnel and the security of personnel, as well as and the security of personnel, as well as aspects of the SETA programaspects of the SETA program
Management of Information Security Management of Information Security 4141
Project ManagementProject ManagementProject management discipline should Project management discipline should be present throughout all elements of be present throughout all elements of the information security programthe information security program
Involves Involves
– Identifying and controlling the resources Identifying and controlling the resources applied to the projectapplied to the project
– Measuring progress and adjusting the Measuring progress and adjusting the process as progress is made toward the process as progress is made toward the goalgoal