managing information security€¦ · some high-level viewpoints outline 1 some high-level...
TRANSCRIPT
![Page 1: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/1.jpg)
Managing Information SecurityCOMM037 Computer Security
Dr Hans Georg Schaathun
University of Surrey
Autumn 2010 – Week 3
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 1 / 47
![Page 2: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/2.jpg)
Session objectives
Understand fundamental concepts of managementBe able to use management concepts to plan effective andcost-efficient security measuresUnderstand the principles of accountability and responsibility ininformation security
Whitman and Mattord Ch. 5Raggad Ch. 2–3(Additional) Gollmann Ch. 2.2–2.6
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 2 / 47
![Page 3: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/3.jpg)
Some high-level viewpoints
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 3 / 47
![Page 4: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/4.jpg)
Some high-level viewpoints
Security and Management
... information security is primarily a management problem,not a technical one ...
Whitman & Mattord 2005
Why do they say this?
Security is not a product or service in itself.It is a feature of other products, services, or processes.Management of these processes must encompass security
product development processesservice provision processesother business processes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 4 / 47
![Page 5: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/5.jpg)
Some high-level viewpoints
The CObIT Information CriteriaQuick Recap
Security is only part of thecriteriaThe CIA requirements guardthe value of information
together with other CObITcriteria
A large organisation and itsinformation assets
is a fine and complexmachineryrequires management withattention to all requirements
Effectiveness Efficiency
Confidentiality Integrity
Availability
Compliance Reliability
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 5 / 47
![Page 6: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/6.jpg)
Some high-level viewpoints
The fundamental dilemmaIBM Whitepaper view
Ambivalent attitude to security in businesses1 security problems cause serious losses
moneyreputation
2 security does not contribute to business processesit becomes a pure cost, like insurance and estates
Security is important, but it has to be cheap
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 6 / 47
![Page 7: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/7.jpg)
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
![Page 8: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/8.jpg)
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
![Page 9: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/9.jpg)
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
![Page 10: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/10.jpg)
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
![Page 11: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/11.jpg)
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
![Page 12: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/12.jpg)
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
![Page 13: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/13.jpg)
Some high-level viewpoints
Security in Context
We want security to serve business processesWe cannot build a wall around the business
the business operates in a world of hazardsSecurity must be part of the processes
protecting the business in a world of hazards... not shield it from the world
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 8 / 47
![Page 14: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/14.jpg)
Management Concepts
Outline
1 Some high-level viewpoints
2 Management ConceptsLayers of ManagementFunctional Organisation
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 9 / 47
![Page 15: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/15.jpg)
Management Concepts Layers of Management
Outline
1 Some high-level viewpoints
2 Management ConceptsLayers of ManagementFunctional Organisation
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 10 / 47
![Page 16: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/16.jpg)
Management Concepts Layers of Management
Different Layers of Management
Strategic Management Upper management do long-term planning.They define and evealuate organisation-wide, overallgoals.
Functional Management Middle management is specialised fordifferent functional areas of the organisation, such asfinance, IT, (security?), estates, production, etc. Yet,functional managers have a long-term view, and workclosely with upper management.
Operational Management Lower management is responisble for theday-to-day running of the business. Operationalmanagers steer towards goals and targets set byhigher-level managers, and manage the finer detail of theorganisation.
Which layer is responsible for information security?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 11 / 47
![Page 17: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/17.jpg)
Management Concepts Layers of Management
Different Layers of Management
Strategic Management Upper management do long-term planning.They define and evealuate organisation-wide, overallgoals.
Functional Management Middle management is specialised fordifferent functional areas of the organisation, such asfinance, IT, (security?), estates, production, etc. Yet,functional managers have a long-term view, and workclosely with upper management.
Operational Management Lower management is responisble for theday-to-day running of the business. Operationalmanagers steer towards goals and targets set byhigher-level managers, and manage the finer detail of theorganisation.
Which layer is responsible for information security?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 11 / 47
![Page 18: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/18.jpg)
Management Concepts Layers of Management
Strategic Management
Security PlanningSecurity Auditing and CertificationRisk apetite
expensive, high-security servicelow-cost service with some risk
Strategic choices depends on customer base and target market
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 12 / 47
![Page 19: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/19.jpg)
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
![Page 20: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/20.jpg)
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
![Page 21: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/21.jpg)
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
![Page 22: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/22.jpg)
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
![Page 23: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/23.jpg)
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
![Page 24: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/24.jpg)
Management Concepts Layers of Management
Functional Management
Risk managementRisk-driven programme
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 14 / 47
![Page 25: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/25.jpg)
Management Concepts Layers of Management
Operational Management
Implementationsfire wallssecurity software deployments
Administration and Maintenancesoftware patchesmonitoringconfiguration
Response to IncidentsRecoveryReporting
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 15 / 47
![Page 26: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/26.jpg)
Management Concepts Functional Organisation
Outline
1 Some high-level viewpoints
2 Management ConceptsLayers of ManagementFunctional Organisation
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 16 / 47
![Page 27: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/27.jpg)
Management Concepts Functional Organisation
Security in the OrganisationQuestion
Do we need a functional unit for (Information) Security?
Information Security could be part of IT.Information Security could be a separate Unit.
Alongside IT
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 17 / 47
![Page 28: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/28.jpg)
Management Concepts Functional Organisation
Security in the OrganisationQuestion
Do we need a functional unit for (Information) Security?
Information Security could be part of IT.Information Security could be a separate Unit.
Alongside IT
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 17 / 47
![Page 29: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/29.jpg)
Management Concepts Functional Organisation
Security in the OrganisationQuestion
Do we need a functional unit for (Information) Security?
Information Security could be part of IT.Information Security could be a separate Unit.
Alongside IT
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 17 / 47
![Page 30: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/30.jpg)
Management Concepts Functional Organisation
Organisational ModelWith Security Functional Unit (Raggad)
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 18 / 47
![Page 31: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/31.jpg)
Management Concepts Functional Organisation
Organisational ModelWithout Security Functional Unit (Raggad)
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 19 / 47
![Page 32: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/32.jpg)
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
![Page 33: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/33.jpg)
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
![Page 34: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/34.jpg)
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
![Page 35: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/35.jpg)
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
![Page 36: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/36.jpg)
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
![Page 37: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/37.jpg)
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
![Page 38: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/38.jpg)
Information Security Lifecycle
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security LifecycleLife CyclesInformation Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 21 / 47
![Page 39: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/39.jpg)
Information Security Lifecycle Life Cycles
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security LifecycleLife CyclesInformation Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 22 / 47
![Page 40: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/40.jpg)
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
![Page 41: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/41.jpg)
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
![Page 42: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/42.jpg)
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
![Page 43: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/43.jpg)
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
![Page 44: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/44.jpg)
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
![Page 45: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/45.jpg)
Information Security Lifecycle Life Cycles
Learning Cyclesa general cycle
What havewe done?
What tochange?
What shallit be?
What todo?
Do it!Enjoy it!
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 24 / 47
![Page 46: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/46.jpg)
Information Security Lifecycle Life Cycles
Learning Cyclesa general cycle (2)
Evaluation
Analysis Vision
Plan
ActionBenefit
Learn from each step –input into next step
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 25 / 47
![Page 47: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/47.jpg)
Information Security Lifecycle Life Cycles
Learning Cyclesa general cycle (2)
Evaluation
Analysis Vision
Plan
ActionBenefit
Learn from each step –input into next step
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 25 / 47
![Page 48: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/48.jpg)
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
![Page 49: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/49.jpg)
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
![Page 50: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/50.jpg)
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
![Page 51: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/51.jpg)
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
![Page 52: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/52.jpg)
Information Security Lifecycle Life Cycles
Application the cycle
Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations
rapid iterations to aquire understanding and experienceuse this to improve planning
Personal DevelopmentPlan your own developmentReflect to improve
ManagementPeriodic reviews of the organisationDevelop new plans and implement changes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 27 / 47
![Page 53: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/53.jpg)
Information Security Lifecycle Life Cycles
Application the cycle
Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations
rapid iterations to aquire understanding and experienceuse this to improve planning
Personal DevelopmentPlan your own developmentReflect to improve
ManagementPeriodic reviews of the organisationDevelop new plans and implement changes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 27 / 47
![Page 54: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/54.jpg)
Information Security Lifecycle Life Cycles
Application the cycle
Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations
rapid iterations to aquire understanding and experienceuse this to improve planning
Personal DevelopmentPlan your own developmentReflect to improve
ManagementPeriodic reviews of the organisationDevelop new plans and implement changes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 27 / 47
![Page 55: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/55.jpg)
Information Security Lifecycle Information Security Lifecycle
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security LifecycleLife CyclesInformation Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 28 / 47
![Page 56: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/56.jpg)
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
![Page 57: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/57.jpg)
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
![Page 58: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/58.jpg)
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
![Page 59: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/59.jpg)
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
![Page 60: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/60.jpg)
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
![Page 61: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/61.jpg)
Policies and Documents
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and DocumentsCommunicationCase Study (Policy)
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 30 / 47
![Page 62: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/62.jpg)
Policies and Documents Communication
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and DocumentsCommunicationCase Study (Policy)
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 31 / 47
![Page 63: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/63.jpg)
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
![Page 64: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/64.jpg)
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
![Page 65: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/65.jpg)
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
![Page 66: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/66.jpg)
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
![Page 67: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/67.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 68: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/68.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 69: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/69.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 70: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/70.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 71: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/71.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 72: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/72.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 73: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/73.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 74: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/74.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 75: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/75.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 76: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/76.jpg)
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
![Page 77: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/77.jpg)
Policies and Documents Communication
Documents
Policy
Standard
Guideline
Why
What
How
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 34 / 47
![Page 78: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/78.jpg)
Policies and Documents Communication
Security Policy
Definition (Organisational Security Policy)The laws, rules, and practices regulating how an organisationmanages, protects, and distributes resources to achieve specifiedsecurity policy objectives.
Definition (Automated Security Policy)Set of restrictions and properties that specify how a computing systemprevents information and computing resources from being used toviolate an organisational security policy.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 35 / 47
![Page 79: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/79.jpg)
Policies and Documents Communication
Security Policy
Definition (Organisational Security Policy)The laws, rules, and practices regulating how an organisationmanages, protects, and distributes resources to achieve specifiedsecurity policy objectives.
Definition (Automated Security Policy)Set of restrictions and properties that specify how a computing systemprevents information and computing resources from being used toviolate an organisational security policy.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 35 / 47
![Page 80: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/80.jpg)
Policies and Documents Communication
Scope of the Security Policy
The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system
The automated security policyone of the means to implement the organisational security policylimited to software and hardware
Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 36 / 47
![Page 81: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/81.jpg)
Policies and Documents Communication
Scope of the Security Policy
The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system
The automated security policyone of the means to implement the organisational security policylimited to software and hardware
Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 36 / 47
![Page 82: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/82.jpg)
Policies and Documents Communication
Scope of the Security Policy
The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system
The automated security policyone of the means to implement the organisational security policylimited to software and hardware
Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 36 / 47
![Page 83: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/83.jpg)
Policies and Documents Communication
Policies and Other Documents
Policy defines the priorities and focus on the why of security.Responsibilities are assigned, and security requirementsmay be defined.
Standard defines mandatory rules of conduct, aiming to implementthe policy.
Guidelines is a set of best practice and advice to help units andindividuals to implement the policies and the standards.They are not mandatory.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 37 / 47
![Page 84: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/84.jpg)
Policies and Documents Communication
The AudienceThe Organisational Security Policy
Different audiencesUsersOwnersSystem AdministratorsCustomers (and other beneficiaries)Developers (system designers and programmers)
Each group needs1 Assurance
their security needs are taken care of2 Awareness of their responsibility
they know to act correctly, maintaining security
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 38 / 47
![Page 85: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/85.jpg)
Policies and Documents Communication
The AudienceThe Organisational Security Policy
Different audiencesUsersOwnersSystem AdministratorsCustomers (and other beneficiaries)Developers (system designers and programmers)
Each group needs1 Assurance
their security needs are taken care of2 Awareness of their responsibility
they know to act correctly, maintaining security
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 38 / 47
![Page 86: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/86.jpg)
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
![Page 87: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/87.jpg)
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
![Page 88: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/88.jpg)
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
![Page 89: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/89.jpg)
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
![Page 90: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/90.jpg)
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
![Page 91: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/91.jpg)
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
![Page 92: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/92.jpg)
Policies and Documents Communication
Information Security Management Life CycleIlona Ilvonen 2009
1. Define goals,roles, andresponsibilities
2. Analysecurrent statusand risks
3. Define/Updatepolicies andprocedures
4. Training andawareness
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 40 / 47
![Page 93: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/93.jpg)
Policies and Documents Communication
Security Policy in ContextSystems Design
Working as a system designerwhat is the role of the security policy?
Requirements gatheringmany requirements are stated in the policymany requirements follow from the policy
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 41 / 47
![Page 94: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/94.jpg)
Policies and Documents Communication
Security Policy in ContextSystems Design
Working as a system designerwhat is the role of the security policy?
Requirements gatheringmany requirements are stated in the policymany requirements follow from the policy
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 41 / 47
![Page 95: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/95.jpg)
Policies and Documents Case Study (Policy)
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and DocumentsCommunicationCase Study (Policy)
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 42 / 47
![Page 96: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/96.jpg)
Policies and Documents Case Study (Policy)
The Enron/Andersen Scandal
The Enron Energy Corporation (USA)Criminal investigation for fraud (a few years ago)
Arthur Andersen ConsultingWorld renowned accounting company
Andersen was implicated when they destroyed client files... relating to Enron
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 43 / 47
![Page 97: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/97.jpg)
Policies and Documents Case Study (Policy)
Security Policyor Obstruction of Justice
Andersen staff charged with obstruction of justiceshredding documents relevant for the investigation
Claimed to be following policyAnderson should not keep client files longer than necessary
Who’s right? Should client files be destroyed?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 44 / 47
![Page 98: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/98.jpg)
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
![Page 99: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/99.jpg)
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
![Page 100: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/100.jpg)
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
![Page 101: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/101.jpg)
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
![Page 102: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/102.jpg)
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
![Page 103: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/103.jpg)
Closing
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 46 / 47
![Page 104: Managing Information Security€¦ · Some high-level viewpoints Outline 1 Some high-level viewpoints 2 Management Concepts 3 Information Security Lifecycle 4 Policies and Documents](https://reader033.vdocuments.mx/reader033/viewer/2022060319/5f0cbdf37e708231d436e820/html5/thumbnails/104.jpg)
Closing
Summary
Security Awareness and Decissions are required at all levels ofmanagement
Strategic managementFunctional managementOperational management
Good communications is essential to implement decissions in theorganisationManagement and Development require continuous learning andimprovement
Lifecycles is a common and useful modelEvaluation and Reflection is key to the cycle
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 47 / 47