CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011

Agenda Chapter 24: Information Technology Security Management

INFORMATION TECHNOLOGY SECURITY MANAGEMENT

FISMA Federal Information Security Management Act (FISMA) – Created by National Institute of Standards and Technology (NIST) – Describes information security guidelines – Describes a risk management framework Paramount in implementing an IT security management plan – Usable by any organization

Figure 24.1 Specifications in the Federal Information Security Management Act.

International Standards Organization ISO/IEC 17799:2005 – Published by International Standards Organization and the International Electro Technical Commission (ISO/IEC) – Security guidelines and general principles Initiating, implementing, maintaining, improving – Guidance on commonly accepted goals – Best practices of control objectives and controls – Intended to meet risk assessment requirements

Figure 24.2 International Standards Organization best-practice areas.

Professional Societies The Internet Society – Organization home for groups responsible for Internet infrastructure standards Internet Engineering Task Force (IETF) Internet Architecture Board (IAB) Information Security Forum – Global nonprofit organization – Provides research into best practices and advice – Produces biannual Standard of Good Practice

Security Policies and Procedures Essential steps for implementing IT security management – Authorize security roles and responsibilities to various security personnel – Set rules for expected behavior from users and security role players – Set rules for business continuity plans Security policy requirements – General agreement by most personnel – Support of highest-level management This is the “teeth”

Example Security Policies Information Security Program Information Security Roles & Responsibilities Acceptable Use Policy (AUP) Risk Management Program Vulnerability Management Patch Management Encryption Media Disposal Asset Accountability Password Policy Remote Access Policy Log/Event Management Auditing Unique User Account Wireless Security Network Security Physical Security Business Continuity/Disaster Recovery Awareness Training

Security Organization Structure What are some important issues to include in a security policy? Various security-related roles – End user – Executive management – Security officer – Data/information owners – Information system auditor – Information technology personnel – Systems administrator

Processes: Continuity and Governance Business continuity strategy – Requires senior management commitment – Includes business impact assessment/risk analysis Focuses on business value drivers determined by main stakeholders IT security governance planning – Includes prioritization as its major function – Determines priorities among potentially conflicting interests Budget setting, resource allocation, politics

Processes: Rules and Regulations Consider state, national, and international rules and regulations – FISMA – HIPAA – SOX – Gramm-Leach-Bliley Act – Computer Fraud and Abuse Act – State privacy laws

Summary Information technology security management – Processes enable organizational structure – Technology protects IT operations and assets Security policies and procedures – Require general agreement and management support IT security processes – Part of an organization’s risk management process and business continuity strategy – Be aware of national and international rules and regulations