Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey
Getting folks on-board CEO Board of Directors All Business Units Leverage Applicable Laws to your Industry
Security Infrastructure includes Policies, Standards, Baselines, Guidelines, Procedures, Plans and Programs. This infrastructure supports all security components including: Security awareness Both disaster and business recovery Risk assessment, and IT security
Policies Established to express conceptual information security organizational goals in the Information Security Program. Information Security Program “Best Practices” which, once established, sets the foundation of a proven program to protect the availability, integrity, and privacy of controlled assets.
Standards Established to support implementation of Information Security Policy. Standards can address: Personnel security Employee conduct Data classification Data labeling Data handling Data transmission Data encryption VPNs Asset management Physical security Data routing Data recovery Access control Firewall standard Network security Network application Data switching Logging Alarms Security maintenance
Baselines Established to ensure a specific set of security requirements that all systems must meet or exceed. Information Technology Security Evaluation Criteria (ITSEC) Trusted Computer Security Evaluation Criteria (TCSEC) Common Criteria for Information Technology Security Evaluation (CCITT)
Guidelines Established to formalize adoption of information security best practices. Guidelines can address: Access control Data protection Router configuration Organizational security
Procedures Established to detail information security implementation in support of relevant standards and policies. Procedures can address: Alarm Security maintenance Terminal server add/modify/delete Password/shared secret change Firewall setup Incident response Risk management Backup/Restore System user add/delete/modify Customer provisioning Equipment maintenance Asset control
Plans/Programs Established to meet information security goals. Plans and programs can address: Information security awareness Cybersecurity and Terrorism Change control Incident response Intrusion detection Business continuity Acceptance test
Components of an Information Security Program 1. Chief Information Security Officer, CISO 2. Information Security Advisory Committee, ISAC 3. Information Security Policies 4. Information Security Awareness, Training and Education (SATE) 5. Information Identification and Classification 6. Information Risk Assessment 7. Implementation of Information Security Controls 8. Monitor Effectiveness and Assurance 9. Business Continuity and Disaster Recovery
Chief Information Security Officer (CISO) Purpose develop organization-wide policies assist business units in the development of procedures administer the organization-wide Information Security Program Attributes direct reporting method to the CEO regardless of where they report administratively not subjected to business unit budget constraints or cutbacks.
Information Security Advisory Committee (ISAC) Purpose review and update Information Security Program and Policies ensures policies enable business units to accomplish their business objectives. keeps information security policies in line with business goals provides cross-organizational involvement
Information Security Advisory Committee (ISAC) cont. Members CISO Business Unit Representatives also act as Business Unit information security champions work with all managers ensure files and databases have designated owners coordinate requests for user IDs and data access Coordinate SATE within their Business Unit help develop unique specific policies and procedures
Information Security Policies Purpose set forth information security policy objectives high-level guidance or vision directing the organization cornerstone for managing and controlling assets Attributes identify informational assets define who is responsible for classifying and valuing assets defines who must comply describes employee role in protection and recovery provide for monitoring and enforcement
Information Security Policies cont. Characteristics short, easy to read, and not incorporate technical terms protect people, the facilities, as well as data
Information Security Awareness, Training and Education (SATE) Purpose means of ensuring employee understanding and/or recognition of responsibilities Elements signed personnel agreement include the protection of assets as a condition of employment security login banners training posters contests
Information Identification and Classification Purpose standards and procedures by which information resources are managed and accessed. identify and classify information both collected and maintained by the information owner and custodian(s) based on information content sensitivity and importance. Methodology Categorize content E.G. Medical Records, Project Data, Fiscal Budget, etc. Classify based on categories.
Information Identification and Classification cont. Classification scheme helps employees determine – owner defined adequate and appropriate procedures associated access controls for information protection and distribution based upon Federal, State, or Local laws and jurisdictions
Information Risk Assessment Purpose quantify the benefits of an Information Security Program as a function of cost policies are needed to reduce risk, and risk analysis is used to justify security policies and technologies Concepts Risk: anything that could potentially cause harm operations, assets, or organization profitability/legal requirements
Information Risk Assessment cont. Risk Analysis: formal process of determining what your informational assets are worth threat/exposures due to vulnerabilities potential harm if the identified vulnerabilities are exploited. Result: cost vs. benefit analysis cost to implement fixes, mitigate risk, or increase protection cost of the asset's loss.
Implementation of Information Security Controls Purpose defines roles in developing and implementing information security Roles Board of Directors Protect and ensure for continuity of the Organization Administrators and Business Unit Directors Protect and ensure for prosperity of their departments Managers Maintain information as a strategic asset
Implementation of Information Security Controls cont. Chief Information Security Officer Ensure written policies are developed and implemented Internal Information Systems Auditor Ensure that information security policies are followed System Administrators, Technicians and Installers Ensure technology assets are configured in a secure manner Users Ultimate responsibility for appropriate use of information
Monitor Effectiveness and Assurance Purpose assess the measures that have been implemented ensure information security goals are being met Attributes collect information from processes that measure effectiveness independent review and evaluation requires separation of duties
Business Continuity and Disaster Recovery Purpose ensure the organization can resume business processing in the event of a disaster Concepts Contingency Plans (Business Continuity Plans) address the business side of departments facilities, personal, procedures, forms and supplies Disaster Recovery Plans (Operational Recovery Plans) address recovery of information technology assets computers, storage, electronic communications and data
Business Continuity and Disaster Recovery cont. Attributes Identification of applications and systems in priority order operating systems, utilities, programs, and data documentation Preparation of crucial aspects off-site storage facility procedures testing and validation
Summary Executive sponsorship and support are essential Needed to help safeguard assets both logical and physical assets Foundation to ensure availability, integrity and confidentiality of organizational controlled assets Based on industry & government ‘best practices’ Sanctioned by Industry Standards
Questions?