Security Organization

Slides:



Advertisements
Similar presentations
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Advertisements

Control and Accounting Information Systems
Control and Accounting Information Systems
Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.
Health and Safety - an update Ian Gillett Safety Director.
Security and Personnel
David A. Brown Chief Information Security Officer State of Ohio
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Management Practices Keith A. Watson, CISSP CERIAS.
Information Systems Security Officer
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Office of Inspector General (OIG) Internal Audit
Security Certification
Corporate Ethics Compliance *
Session 3 – Information Security Policies
1 FDIC Corporate University Aligning Learning With Corporate Objectives March 2006.
Internal Auditing and Outsourcing
SEC835 Database and Web application security Information Security Architecture.
Evolving IT Framework Standards (Compliance and IT)
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Basics of OHSAS Occupational Health & Safety Management System
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Staffing and Training.
Introduction to Internal Control Systems
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Health and Safety Policy
Information Systems Security Operational Control for Information Security.
Chapter 4 of the Executive Guide manual
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Security Management Chao-Hsien Chu, Ph.D.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Practice Management Quality Control
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.
Introduction to Information Security
Pro-active Security Measures
Placing Information Security within an Organization
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Revision N° 11ICAO Safety Management Systems (SMS) Course01/01/08 Module N° 9 – SMS operation.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
© BLR ® —Business & Legal Resources 1501 Essential HR For Those Who Have Recently Assumed HR Responsibilities.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Welcome to the ICT Department Unit 3_5 Security Policies.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Cybersecurity: Risk Management
General Counsel and Chief Privacy Officer
Presentation transcript:

Security Organization Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing IST 515

Objectives This module will familiarize you with the following: Security planning Responsibilities of the chief information security officer (CISO). Security organizational structure - reporting models. What is the most effectively security structure within an organization? Security organization best practices. Personnel security Security awareness, training and education.

Readings Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required). Benson, C., “Security Planning.” (Required) http://technet.microsoft.com/en-us/library/cc723503.aspx Johnson, M. E. and Goetz, E., “Embedding Information Security into the Organization,” IEEE Security & Privacy, May/June 2007, pp. 16-24. ISO, “Organization of Information Security,” http://www.iso27001security.com/ISO27k_Organization_of_information_security.rtf PriceWaterhouseCooper, “The Global State of Information Security Survey,” 2005.

Environmental Security Organizational Security Policy Organizational Design Security Management Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Physical and Environmental Security System Development and Maintenance Communications & Operations Mgmt. Business Continuity Management Operational

Security Management Practice Security Governance. Security Policies, Procedures, Standards, Guidelines, and Baselines. Security Planning. Security Organization. Personnel Security. Security Audit and Control. Security Awareness, Training and Education. Risk Assessment and Management. Professional Ethics.

Principles of Organizational Design Strategic Alignment. Organization structure - Functional vs. Matrix Span of control – hierarchy Reporting relationship (governmance) Job descriptions Staffing and skill requirements (training) Grading (reward structure) Clarity about the boundaries with other organizational groups Alsbridge, "Designing Your Organization for BPO and Shared Services." http://www.sourcingmag.com/content/c070219a.asp

Principles of Organizational Design Strategic Alignment. Organization structure - Functional vs. Matrix Span of control – hierarchy Reporting relationship (governmance) Job descriptions Staffing and skill requirements (training) Grading (reward structure) Clarity about the boundaries with other organizational groups Alsbridge, "Designing Your Organization for BPO and Shared Services." http://www.sourcingmag.com/content/c070219a.asp

Information Security Planning Planning reduces the likelihood that the organization will be reactionary toward the security needs. Security planning involves developing security policies and implementing controls to prevent computer risks from becoming reality. The risk assessment provides a baseline for implementing security plans to protect assets against various threats.

Hierarchy of Security Planning Strategic Planning (3-5 years). Strategic plans are aligned with the strategic business and IT goals. They provide the vision for projects to achieve the business objectives. The plans should be reviewed annually or whenever major change to the business occur. Tactical Planning (6-18 months). Tactical plans provide the broad initiatives to support and achieve the goals specified in the strategic plans. Operational and Project Planning. Specific plans with milestones, dates and accountabilities provide the communication and direction to ensure that the individual projects are completed.

Type of Security Planning Proactive Planning: Develop security policies and controls. Implement tools and techniques to aid in security. - Secure access, secure data, and secure code. - Techniques for network security – firewall, VPN. - Detection tools. Implement technologies to keep the system running in the event of a failure. Reactive Planning: Develop a contingency plan.

Examples of Security Plan The Department of Housing and Urban Development, SYSTEM SECURITY PLAN (SSP) TEMPLATE. http://www.nls.gov/offices/cio/sdm/devlife/tempchecks/mastemplate.doc California State University, Chico. http://www.csuchico.edu/ires/security/documents/Information %20Security%20Plan%20052009%20v5_1.pdf Sample Security Plan – Adventure Works.

Benson, C., “Security Planning.” (Required) http://technet.microsoft.com/en-us/library/cc723503.aspx

Johnson, M. E. and Goetz, E., “Embedding Information Security into the Organization,” IEEE Security & Privacy, May/June 2007, pp. 16-24.

Security Related People Security is the responsibility of everyone within the organization. Related people include Executive management. Chief information security officer (CISO). Information systems security professional. Data /information / business owner. Information systems auditor. Information systems / IT professional. Systems / network / security administrator. Help desk administrator. Administrative assistant / secretaries. End users.

CISO Responsibilities Communicate risks to executive management. Budget for information security activities. Ensure development of policies, procedures, baselines, standards, and guidelines. Develop and provide security awareness program. Understand business objectives. Maintain awareness of emerging threats and vulnerabilities. Evaluate security incidents and response. Develop security compliance program. Establish security metrics. Participate in management meetings. Ensure compliance with governmental regulations. Assist internal and external auditors. Stay abreast of emerging technologies.

CISO Reporting Models Reporting to the CEO. Reporting to the information technology (IT) department. Reporting to corporate security. Report to the administrative services department. Report to the insurance and risk management department. Reporting to the internal audit department. Reporting to the legal department. What are the pros and cons of each reporting model?

PWC Global State of Information To Whom CISO Report PWC Global State of Information Security Survey2005

Organization of Information security (http://www.iso27001security.com/)

Information Security Organization CEO CTO CFO COO Legal/Chief CIO CPO Corp Sec Director Information Security Division SPOCS Policy compliance Technology security operations Risk management (Johnson and Goetz, 2007)

What are They? CEO: Chief Executive Officer. CFO: Chief Financial Officer. CTO: Chief Technology Officer. CIO: Chief Information Officer COO: Chief Operating Officer. CISO: Chief Information Security Officer. CSO: Chief Security Officer. CPO: Chief Privacy Officer.

Information Security Organization Board IA CEO CFO CTO CIO LB LB Real Estate Workplace Service Security Office Business IT IT Infrastructure Health & Safety CISO Global security Workplace security Supply chain security Business information security manager Strategy, architecture And consulting Host network security Program process manager (Johnson and Goetz, 2007) Incident management Compliance management

Information Security Organization Director of Security Security Advisory Group Administration Assistant Critical Infrastructure Service Continuity Protection & Standards, Policies and Procedures Security Infrastructure & Technical Support Security Infrastructure & Technical Support Risk Management Information Security Training & Awareness Incident Management

Security Organization Best Practice Job rotation. Job rotation reduce the risk of collusion of activities between individuals. Separation of duties. One individual should not have the capability to execute all of the Steps of a particular process. Least privilege (need to know). Granting users only the accesses that are required to perform their job functions. Mandatory vacations. Requiring mandatory vacations of a specified consecutive-day period. Job position sensitivity. The access and duties of an individual for a particular department should be assess to determine the sensitivity of the position.

Separation of Duties The same individual should not typically perform the following functions: Systems administration Network management Data entry Computer operations Security administration Systems development and maintenance Security auditing Information systems management Change management

Personnel Security – Hiring Practices Managing the people aspect of security, from pre employment to post employment, is critical to ensure trustworthy, competent resources are employed to further the business objectives that will protect the company information. Developing job descriptions. Developing confidentiality agreements. Contacting references – Reference checks. Screening/investigating background. Ongoing supervision and periodic performance reviews. Determining policies on vendor, contractor, consultant and temporary staff access. Employee terminations need different levels of care.

Background Checks Background checks can uncover the following problems: Gaps in employment. Misrepresentation of job titles. Job duties. Salary. Reasons for leaving a job. Validity and status of professional certification. Education verification and degrees obtained. Credit history. Driving records. Criminal history. Personal references. Social security number verification

Special Types of Background Checks Individuals involved in technology. Individuals with access to confidential or sensitive information. Employees with access to company proprietary or competitive data. Positions working with accounts payable, receivables, or payroll. Positions dealing directly with the public. Employees working for healthcare industry-based organizations or organizations dealing with financial information. Positions involving driving a motor vehicle. Employees who will come in contact with children.

Elements of Professional Development (NIST, SP 800-100)

The IT Security Learning Continuum Manage Acquire Design & Develop Implement & Operate Review & Evaluate Use Security Basics & Literacy Security Awareness (NIST, SP 800-100)

Security Awareness Provide the understanding of the importance of security within an organization. Inform employees about their roles, and expectations surrounding their roles, in the observance of information security requirements. Provide guidance surrounding the performance of particular security or risk management function, as well as provide information surrounding the security or risk management functions in general. Educate users in the fulfillment of its security program objectives, which may also include audit objectives for organizations that are bound by regulatory compliance (e.g., HIPPA, the Sarbanes-Oxley Act).

Topics for Security Awareness Corporate security policies. Organization’s security program. Regulatory compliance requirements. Social engineering. Business continuity. Disaster recovery. Emergency management. Security incidence response. Data classification. Information labeling and handling. Personnel security, safety and soundness. Physical security. Appropriate computing resource use. Proper care and handling of security credentials Risk assessment. Accidents, errors or omissions.

Awareness Activities and Methods Formalized courses, face-to-face or online. Use of posters to call attention to aspects of security. Conduct business units walk-through. Use intranet to post security reminders or host security column. Appointment of security awareness mentors. Sponsor a security awareness day. Sponsor an event with an external partner. Provide trinkets for users that support security principles. Provide security management videos, books, web sites, and collateral for references.

Selected Professional Education Certified Information Systems Security Professional (CISSP), (ISC)2 http://www.isc2.org/ Systems Security Certified Practitioner (SSCP), (ISC)2. http://www.isc2.org/ Certified Information Systems Auditor (CISA), ISACA. http://www.isaca.org/ Certified Information Security Manager (CISM), ISACA. http://www.isaca.org/ Global Information Assurance Certification (GIAC), SANS Institute. http://www.giac.org/

Potential Practical Projects Develop an information security plan. Review and propose a security organization redesign. Develop a security hiring plan. - Write a job description for a security position. - Write an advertisement for a security job. Develop a security background check program. Develop a security awareness plan / program. Develop a security training plan / program.