chapter 5 developing the security program presented by: jennifer, sergey & kalagee slides by:...
Post on 21-Dec-2015
232 views
TRANSCRIPT
Chapter 5 Developing the Security
ProgramPresented by: Jennifer, Sergey & Kalagee
Slides by: Ryan
2
Outline
• Introduction
• Organizing for Security
• Information Security Placement
• Components of the Security Program
• Information Security Roles and Titles
• Security Education, Training, and Awareness
3
Introduction
• Security Program
– Entire set of personnel, plans, and policies related to Information Security
• Information Security
– Corporate or physical security
• Information Security Program
– Structured effort to contain risks to information assets
4
Organizing for Security
• Security Program Influences– Organizational culture– Company size and available resources– Security personnel and capital budget
5
Organization Sizes
• Small (10-100 computers)– 20% of IT budget
• Medium (100-1,000 computers)– 11% of IT budget
• Large (1,000-10,000 computers)– 5% of IT budget security
• Very Large (10,000+ computers)– 6% of IT budget
6
Information Security Functions
• Risk Assessment• Risk Management• Systems Testing• Policy• Legal Assessment• Incident Response• Planning• Vulnerability
Assessment
• Measurement• Compliance• Centralized
Authentication• Systems Security
Administration• Training• Network Security
Administration
7
Security Function Distribution• Non-technology business units
– Legal assessment and training• IT groups outside of information security
– Systems and network administration• Information security as customer service
– Planning, testing, risk assessment, incident response, vulnerability assessment
• Information security as compliance enforcement– Policy, compliance, and risk management
8
Large Org. Staffing
9
Very Large Org. Staffing
10
Medium Org. Staffing
11
Small Org. Staffing
12
Security Placement
• Openness to new ideas• Clout with top management• Respect in the eyes of a wide variety of
employees• Comfort and familiarity with information
security concepts• Willingness to defend the best interest of
the organization in the long run
13
Security Placement Locations• IT
• Security
• Administrative Services
• Insurance and Risk Management
• Strategy and Planning
• Legal
• Internal Audit
• Help Desk
• Accounting and Finance Through IT
• Human Resources
• Facilities Management
• Operations
14
IT
15
Security
16
Administrative Services
17
Insurance & Risk
18
Strategy & Planning
19
Legal
20
Other Options
• Internal Audit
• Help Desk
• Accounting and Finance Through IT
• Human Resources
• Facilities Management
• Operations
2121
Components of the Security Program
• InfoSec needs are unique to culture, size, and budget of organization
• Guided by mission and vision statements
• CIO and CISO use mission and vision statements to formulate InfoSec program mission statement
2222
Elements of a Security Program (NIST)
• Policy• Program management• Risk management• Life-cycle planning• Personnel and user issues• Contingency and disaster recovery
planning• Computer security incident handling
2323
Elements of a Security Program (NIST)
• Awareness and training
• Security considerations
• Physical and environmental security
• Identification and authentication
• Logical access control
• Audit trails
• Cryptography
2424
Information Security Roles and Titles
• Those that define– Provide policies, guidelines, and standards
• Those that build– Create and install security solutions
• Those that administer– Monitor and improve the security process
2525
Job Function Categories
• Chief Information Security Officer (CISO)• Security manager• Security administrator/analyst• Security technician• Security staffer• Security consultant• Security officer and investigator• Help desk personnel
2626
Chief Information Security Officer (CISO)
• Assessment, management, and implementation of the InfoSec program
• Other Titles– Manager for Security– Security Administrator
• Most cases reports to CIO
2727
Security Manager
• Oversee day-to-day operation of the InfoSec program– Scheduling– Setting priorities– Administering procedural tasks
• Report to CISO
• Some technical knowledge
2828
Security Administrator/Analyst
• Have both technical knowledge and managerial skill
• Manage day-to-day operation of the InfoSec program
• Assist in development and delivery of training programs and policies
2929
Security Technician
• Subject matter experts
• Implement security software
• Diagnose and troubleshoot problems
• Coordinate with administrators to ensure security is properly implemented
• Tend to be specialized
3030
Security Staffer
• Individuals who perform routine watch-standing activities– Intrusion detection consoles– Monitor email– Perform routine, yet critical, tasks
3131
Security Consultants
• Expert in some aspect of InfoSec– Disaster recovery– Business continuity planning– Policy development– Strategic planning
3232
Security Officers and Investigators
• Sometimes necessary to protect highly sensitive data from physical threats
• Three G’s of physical security– Guards– Gates– Guns
3333
Help Desk Personnel
• Enhances security team’s ability to identify potential problems
• Must be prepared to identify and diagnose problems– Traditional technical problems– Threats to information security
3434
Security Education, Training, and Awareness (SETA)
• Responsibility of CISO• Designed to reduce accidental security
breaches• Can improve employee behavior• Inform members of the organization
about where to report violations of policy• Allows organizations to hold employees
accountable for their actions
3535
Purpose of SETA
• Enhance security– By building in-depth knowledge to design,
implement, or operate security programs for organizations and systems
– By developing skills and knowledge so that computer users can perform their jobs more securely
– By improving awareness of the need to protect system resources
3636
Security Education
• Information security training programs must address:– Information security educational
components– General education requirements
3737
Developing InfoSec Curricula
• InfoSec standards– ACM– IEEE– ABET
• No security curricula models
3838
Developing InfoSec Curricula
• Must carefully map expected learning outcomes
• Knowledge map– Helps potential students assess various
InfoSec programs– Identifies skills and knowledge clusters
obtained by program graduates
3939
InfoSec Knowledge Map
4040
Security Training
• Provides employees with hands-on training
• In-house or outsourced
• NIST provides free InfoSec training documents – NIST SP 800-16
4141
Security Training
• Customizing training by functional background– General user– Managerial user– Technical user
• Job category• Job function• Technology product
4242
Security Training
• Customizing training by skill level– Novice– Intermediate – Advanced
4343
Training for General Users
• Commonly during employee orientation
• Employees are educated on a wide variety of policies– Good security practices– Password management– Specialized access controls– Violation reporting
4444
Training for Managerial Users
• Similar to general training
• More personalized
• Small groups
• More interaction and discussion
4545
Training for Technical Users
• Developing advanced technical training– By job category– By job function– By technology product
46
Training Techniques
• Use correct teaching methods
• Take advantage of latest learning technology
• Use best practices
• On-site training is beneficial
47
Delivery Methods
• Delivery method choice is influenced by– Budget– Scheduling– Needs of organization
• Delivery methods– One-on-one– Formal Class– Computer-Based Training (CBT)
48
Delivery Methods (cont)
• Distance learning
• Web Seminars
• User Support Group
• On-Site Training
• Self-Study
49
Selecting Training Staff
• Local training program• Continuing education department• External training agency• Hire a professional trainer• Hire a consultant, or someone from an
accredited institution to conduct on-site training
• organize and conduct training in-house using its own employees.
50
Implementing Training
1. Identify program scope, goals and objectives
2. Identify training staff3. Identify target audiences4. Motivate management and employees5. Administer the program6. Maintain the program7. Evaluate the program
51
Security Awareness• Change organizational
culture to realize importance of InfoSec
• Users need to be reminded of the standards and procedures
• Gives employees sense of responsibility and importance
52
Security Awareness Program
• Focus on people• Don’t use technical jargon• Use every available medium• Defines a learning objective • Helps users understand their roles• Don’t overload users with too much information• Take advantage of in-house communication• Make the awareness program formal• Provide good information early
53
Employee Behavior and Awareness
• Educate employees on how to– Properly handle information– Use applications– Operate within the organization
• This minimizes risk of accidental compromise, damage, or destruction of information
54
Employee Accountability
• Effective training programs make employees accountable for their actions
• “Ignorance of the law excuses no one”
• A constant reminder of the consequences of abusing or misusing information resources can help protect the organization against lawsuits
55
Awareness Techniques
• Changes based on intended audience
• Security awareness program – can use many methods to deliver its
message– developed with the assumption that people
tend to practice a tuning out process– awareness techniques should be creative
and frequently changed
56
Developing Security Awareness Components
• Videos• Posters and banners• Lectures and
conferences• Computer-based
training• Newsletters• Brochures and flyers• Trinkets• Bulletin boards
57
Posters
58
Newsletters
• Cost-effective• Distributed via e-mails, hard-copy or
intranet• Consists of front page, index, volume,
contact information. • May contains articles, policies, how-to’s,
security events, upgrades, incidents, etc.
59
Trinket Program
• Most expensive• Gets attention
instantly• Mugs, calendars, t-
shirts, pens, holders, etc.
60
InfoSec Awareness Website
Tips– Don’t reinvent– Plan ahead– Minimal page loading time– Attractive look and feel – Always seek feedback– Test everything. Assume nothing– Promote the website
61
Conclusions
• Information security programs can be dramatically different for organizations of varying size but they all have the same goal– To secure information and information assets
• This is achieved by – Optimal placement of InfoSec within organization– Security, education, and awareness training
(SETA)
62
Questions?