Management of Information Security Chapter 1: Introduction to the Management of Information Security If this is the information superhighway, it’s going.

Management of Information SecurityManagement of Information Security

Chapter 1:Chapter 1:

Introduction to the Introduction to the Management ofManagement of

Information SecurityInformation Security

If this is the information superhighway, If this is the information superhighway, it’sit’s

going through a lot of bad, bad going through a lot of bad, bad neighborhoods.neighborhoods.

-- -- DORIAN BERGER, 1997DORIAN BERGER, 1997

Management of Information Security Management of Information Security 22

IntroductionIntroduction

Information technology is critical to Information technology is critical to business and society business and society

Computer security is evolving into Computer security is evolving into information securityinformation security

Information security is the responsibility Information security is the responsibility of every member of an organization, but of every member of an organization, but managers play a critical rolemanagers play a critical role


IntroductionIntroduction

Information security involves three Information security involves three distinct communities of interest:distinct communities of interest:

– Information Information securitysecurity managers and managers and professionals professionals

– Information Information technologytechnology managers and managers and professionals professionals

– Non-technical Non-technical businessbusiness managers and managers and professionals professionals


Communities of InterestCommunities of Interest

InfoSec community: protect InfoSec community: protect information assets from threatsinformation assets from threats

IT community: support business IT community: support business objectives by supplying appropriate objectives by supplying appropriate information technologyinformation technology

Business community: policy and Business community: policy and resourcesresources


What Is Security?What Is Security?

““The quality or state of being secureThe quality or state of being secure—to be free from danger” —to be free from danger”

Security is achieved using several Security is achieved using several strategies simultaneouslystrategies simultaneously


Specialized Areas of SecuritySpecialized Areas of Security

Physical securityPhysical security

Personal securityPersonal security

Operations securityOperations security

Communications securityCommunications security

Network securityNetwork security

Information Security (InfoSec)Information Security (InfoSec)

Computer SecurityComputer Security


Information SecurityInformation Security

InfoSec includes information security InfoSec includes information security management, computer security, management, computer security, data security, and network securitydata security, and network security

Policy is central to all information Policy is central to all information security effortssecurity efforts


FIGURE 1-1FIGURE 1-1Components of Information Components of Information

SecuritySecurity


CIA TriangleCIA TriangleThe C.I.A. triangle is made up of: The C.I.A. triangle is made up of:

– Confidentiality Confidentiality

– IntegrityIntegrity

– AvailabilityAvailability

Over time the list of characteristics has Over time the list of characteristics has expanded, but these three remain expanded, but these three remain centralcentral


Figure 1-2 NSTISSC Security Figure 1-2 NSTISSC Security ModelModel


Key Concepts of Information Key Concepts of Information SecuritySecurity

ConfidentialityConfidentiality– Confidentiality of information ensures that Confidentiality of information ensures that

only those with sufficient privileges may only those with sufficient privileges may access certain informationaccess certain information

– To protect confidentiality of information, a To protect confidentiality of information, a number of measures may be used number of measures may be used including:including:

Information classificationInformation classification

Secure document storageSecure document storage

Application of general security policiesApplication of general security policies

Education of information custodians and end Education of information custodians and end usersusers



Integrity Integrity

– Integrity is the quality or state of being Integrity is the quality or state of being whole, complete, and uncorruptedwhole, complete, and uncorrupted

– The integrity of information is threatened The integrity of information is threatened when it is exposed to corruption, when it is exposed to corruption, damage, destruction, or other disruption damage, destruction, or other disruption of its authentic stateof its authentic state

– Corruption can occur while information is Corruption can occur while information is being compiled, stored, or transmittedbeing compiled, stored, or transmitted



Availability Availability

– Availability is making information accessible Availability is making information accessible to user access without interference or to user access without interference or obstruction in the required formatobstruction in the required format

– A user in this definition may be either a A user in this definition may be either a person or another computer systemperson or another computer system

– Availability means availability to authorized Availability means availability to authorized usersusers



PrivacyPrivacy

– Information is to be used only for purposes Information is to be used only for purposes known to the data ownerknown to the data owner

– This does not focus on freedom from This does not focus on freedom from observation, but rather that information observation, but rather that information will be used only in ways known to the will be used only in ways known to the ownerowner



IdentificationIdentification

– Information systems possess the Information systems possess the characteristic of identification when they are characteristic of identification when they are able to recognize individual usersable to recognize individual users

– Identification and authentication are Identification and authentication are essential to establishing the level of access essential to establishing the level of access or authorization that an individual is grantedor authorization that an individual is granted



AuthenticationAuthentication

– Authentication occurs when a control Authentication occurs when a control provides proof that a user possesses the provides proof that a user possesses the identity that he or she claimsidentity that he or she claims



AuthorizationAuthorization

– After the identity of a user is After the identity of a user is authenticated, a process called authenticated, a process called authorization provides assurance that the authorization provides assurance that the user (whether a person or a computer) user (whether a person or a computer) has been specifically and explicitly has been specifically and explicitly authorized by the proper authority to authorized by the proper authority to access, update, or delete the contents of access, update, or delete the contents of an information assetan information asset



AccountabilityAccountability

– The characteristic of accountability The characteristic of accountability exists when a control provides exists when a control provides assurance that every activity assurance that every activity undertaken can be attributed to a undertaken can be attributed to a named person or automated process named person or automated process


What Is Management?What Is Management?A process of achieving objectives A process of achieving objectives using a given set of resourcesusing a given set of resources

To manage the information security To manage the information security process, first understand core process, first understand core principles of managementprinciples of management

A manager is “someone who works A manager is “someone who works with and through other people by with and through other people by coordinating their work activities in coordinating their work activities in order to accomplish organizational order to accomplish organizational goals” goals”


Managerial RolesManagerial RolesInformational role: Collecting, Informational role: Collecting, processing, and using information to processing, and using information to achieve the objectiveachieve the objective

Interpersonal role: Interacting with Interpersonal role: Interacting with superiors, subordinates, outside superiors, subordinates, outside stakeholders, and other stakeholders, and other

Decisional role: Selecting from Decisional role: Selecting from alternative approaches and resolving alternative approaches and resolving conflicts, dilemmas, or challengesconflicts, dilemmas, or challenges


Differences Between Differences Between Leadership and ManagementLeadership and ManagementThe leader influences employees so that The leader influences employees so that they are willing to accomplish objectivesthey are willing to accomplish objectives

He or she is expected to lead by example He or she is expected to lead by example and demonstrate personal traits that instill and demonstrate personal traits that instill a desire in others to followa desire in others to follow

Leadership provides purpose, direction, Leadership provides purpose, direction, and motivation to those that followand motivation to those that follow


A Manager administer the resources A Manager administer the resources of the organization byof the organization by– Creating budgetsCreating budgets– Authorizes expendituresAuthorizes expenditures– Hires employeesHires employees

A Manager can also be a leader.A Manager can also be a leader.


Characteristics of a LeaderCharacteristics of a Leader

1.1.BearingBearing

2.2.Courage Courage

3.3.Decisiveness Decisiveness

4.4.Dependability Dependability

5.5.Endurance Endurance

6.6.Enthusiasm Enthusiasm

7.7.Initiative Initiative

8.8.Integrity Integrity

9.9.Judgment Judgment

10.10.Justice Justice

11.11.Knowledge Knowledge

12.12.LoyaltyLoyalty

13.13.Tact Tact

14.14.UnselfishnessUnselfishness


What Makes a Good Leader?What Makes a Good Leader?

Action plan for improvement of Action plan for improvement of leadership abilities leadership abilities 1.1. Knows and seeks self-improvementKnows and seeks self-improvement

2.2. Be technically and tactically proficientBe technically and tactically proficient

3.3. Seek responsibility and take Seek responsibility and take responsibility for your actionsresponsibility for your actions

4.4. Make sound and timely decisionsMake sound and timely decisions

5.5. Set the exampleSet the example

6.6. Knows [subordinates] and looks out for Knows [subordinates] and looks out for their well-beingtheir well-being


What Makes a Good Leader? What Makes a Good Leader? (Continued)(Continued)

Action plan for improvement of Action plan for improvement of leadership abilities leadership abilities 7.7. Keeps subordinates informedKeeps subordinates informed

8.8. Develops a sense of responsibility in Develops a sense of responsibility in subordinatessubordinates

9.9. Ensures the task is understood, Ensures the task is understood, supervised, and accomplishedsupervised, and accomplished

10.10.Builds the teamBuilds the team

11.11.Employs a team in accordance with its Employs a team in accordance with its capabilitiescapabilities


Behavioral Types of LeadersBehavioral Types of LeadersThree basic behavioral types of leaders: Three basic behavioral types of leaders:

– Autocratic- action-oriented, “Do as I say” Autocratic- action-oriented, “Do as I say”

– Democratic – action-oriented and likely to be Democratic – action-oriented and likely to be less efficientless efficient

– Laissez-faire – laid-back.Laissez-faire – laid-back.


Characteristics of ManagementCharacteristics of ManagementTwo well-known approaches to Two well-known approaches to management: management:

– Traditional management theory using Traditional management theory using principles of planning, organizing, staffing, principles of planning, organizing, staffing, directing, and controlling (POSDC)directing, and controlling (POSDC)

– Popular management theory categorizes Popular management theory categorizes principles of management into planning, principles of management into planning, organizing, leading, and controlling (POLC)organizing, leading, and controlling (POLC)


PlanningPlanningPlanning: process that develops, Planning: process that develops, creates, and implements strategies creates, and implements strategies for the accomplishment of objectivesfor the accomplishment of objectives

Three levels of planning: Three levels of planning:

– Strategic – occurs at highest level of Strategic – occurs at highest level of organizationorganization

– Tactical – focuses on production planning and Tactical – focuses on production planning and integrates organizational resourcesintegrates organizational resources

– Operational – focuses on day-to-day operations Operational – focuses on day-to-day operations of local resourcesof local resources


Planning (Continued)Planning (Continued)

In general, planning begins with the In general, planning begins with the strategic plan for the whole strategic plan for the whole organizationorganization

– To do this successfully, organization To do this successfully, organization must thoroughly define its goals and must thoroughly define its goals and objectivesobjectives


OrganizationOrganizationOrganization: is a principle of management Organization: is a principle of management dedicated to structuring of resources to support dedicated to structuring of resources to support the accomplishment of objectivesthe accomplishment of objectives

Organizing tasks requires determining:Organizing tasks requires determining:

– What is to be doneWhat is to be done

– In what orderIn what order

– By whomBy whom

– By which methodsBy which methods

– WhenWhen


LeadershipLeadership

Encourages the implementation of the Encourages the implementation of the planning and organizing functions, planning and organizing functions, including supervising employee including supervising employee behavior, performance, attendance, and behavior, performance, attendance, and attitudeattitude

Leadership generally addresses the Leadership generally addresses the direction and motivation of the human direction and motivation of the human resourceresource


Control Control Control: Control:

– Monitoring progress toward completionMonitoring progress toward completion

– Making necessary adjustments to achieve the Making necessary adjustments to achieve the desired objectivesdesired objectives

Controlling function determines what Controlling function determines what must be monitored as well using specific must be monitored as well using specific control tools to gather and evaluate control tools to gather and evaluate informationinformation


Solving ProblemsSolving Problems

All managers face problems that must All managers face problems that must be solved.be solved.

Step 1: Recognize and Define the ProblemStep 1: Recognize and Define the Problem

Step 2: Gather Facts and Make AssumptionsStep 2: Gather Facts and Make Assumptions

Step 3: Develop Possible SolutionsStep 3: Develop Possible Solutions

Step 4: Analyze and Compare the Possible Step 4: Analyze and Compare the Possible Solutions Solutions

Step 5: Select, Implement, and Evaluate a Solution Step 5: Select, Implement, and Evaluate a Solution


Principles Of Information Security Principles Of Information Security ManagementManagement

Information security management is part of the Information security management is part of the organizational management team.organizational management team.

The extended characteristics of information security The extended characteristics of information security are known as the six Ps:are known as the six Ps:

– PlanningPlanning

– PolicyPolicy

– ProgramsPrograms

– ProtectionProtection

– PeoplePeople

– Project ManagementProject Management


InfoSec PlanningInfoSec PlanningPlanning as part of InfoSec Planning as part of InfoSec management is an extension of the management is an extension of the basic planning model discussed earlier basic planning model discussed earlier in this chapterin this chapter

Included in the InfoSec planning model Included in the InfoSec planning model are activities necessary to support the are activities necessary to support the design, creation, and implementation design, creation, and implementation of information security strategies as of information security strategies as they exist within the IT planning they exist within the IT planning environment environment


InfoSec Planning TypesInfoSec Planning Types

Several types of InfoSec plans exist:Several types of InfoSec plans exist:– Incident responseIncident response– Business continuityBusiness continuity– Disaster recoveryDisaster recovery– PolicyPolicy– PersonnelPersonnel– Technology rollout Technology rollout – Risk management and Risk management and – Security program including education, Security program including education,

training and awarenesstraining and awareness


PolicyPolicy

Policy: set of organizational guidelines Policy: set of organizational guidelines that dictates certain behavior within the that dictates certain behavior within the organizationorganization

In InfoSec, there are three general In InfoSec, there are three general categories of policy: categories of policy:

– General program policy (Enterprise Security General program policy (Enterprise Security Policy)Policy)

– An issue-specific security policy (ISSP) An issue-specific security policy (ISSP)

– System-specific policies (SSSPs) System-specific policies (SSSPs)


ProgramsPrograms

Programs: specific entities managed Programs: specific entities managed in the information security domainin the information security domain

A security education training and A security education training and awareness (SETA) program is one awareness (SETA) program is one such entitysuch entity

Other programs that may emerge Other programs that may emerge include a physical security program, include a physical security program, complete with fire, physical access, complete with fire, physical access, gates, guards, and so ongates, guards, and so on


ProtectionProtection

Risk management activities, including Risk management activities, including risk assessment and control, as well as risk assessment and control, as well as protection mechanisms, technologies, protection mechanisms, technologies, and toolsand tools

Each of these mechanisms represents Each of these mechanisms represents some aspect of the management of some aspect of the management of specific controls in the overall specific controls in the overall information security planinformation security plan


PeoplePeoplePeople are the most critical link in the People are the most critical link in the information security programinformation security program

It is imperative that managers It is imperative that managers continuously recognize the crucial role continuously recognize the crucial role that people playthat people play

Including information security personnel Including information security personnel and the security of personnel, as well as and the security of personnel, as well as aspects of the SETA programaspects of the SETA program


Project ManagementProject ManagementProject management discipline should Project management discipline should be present throughout all elements of be present throughout all elements of the information security programthe information security program

Involves Involves

– Identifying and controlling the resources Identifying and controlling the resources applied to the projectapplied to the project

– Measuring progress and adjusting the Measuring progress and adjusting the process as progress is made toward the process as progress is made toward the goalgoal

Management of Information Security Chapter 1: Introduction to the Management of Information Security If this is the information superhighway, it’s going.

Documents