Information Security IBK3IBV01 College 3 Paul J. Cornelisse
Organization of Information Security The Internal Information Security Organization
Organization of Information Security To protect their information assets, public and private organizations need to consider how best to manage their information security efforts
Organization of Information Security To ensure comprehensive protection for all the organization’s information, the approach should address information security comprehensively, organization- wide
Organization of Information Security An enterprise-wide approach also facilitates management oversight and coordination of information security efforts
Organization of Information Security The design of the information security management framework should ensure it is properly tuned to the operational needs of the organization, which should primarily focus on the management of risks to its information assets
Organization of Information Security The design of the information security function must provide a management framework The framework permits effective initiation Implementation and control of information security activities within the organization
Organization of Information Security This includes Planning Coordination management of major information security projects as well as Monitoring Measuring Tracking
Organization of Information Security As well as overseeing the implementation of all aspects of the organization information security program
Organization of Information Security To have the requisite level of authority, the information security function must be led by a member of the organization’s management staff be positioned in the organizational management structure where the visibility of information security can be ensured
Organization of Information Security Today, leadership of the information security organization resides at the executive level with most large organizations. The position is that of the Chief Information Security Officer (CISO)
Organization of Information Security The process of organizing information security must address factors such as its mission its composition its placement within the organizational structure its authority towards other elements of the organization its responsibilities the functions it must perform its lines of communication and coordination
Organization of Information Security Based on knowledge of the current state of the organization’s information security posture, as well as the future state, organizations must then perform a gap analysis to identify unmet requirements, and a path forward for meeting them
Organization of Information Security The organization should clearly define the boundaries of the information security function to address interfaces with other internal elements that perform security-related functions
Organization of Information Security These may include: information technology operations personnel security function privacy staff the physical security office
Organization of Information Security Relationships should be documented in coordinated operational agreements charters concepts of operations or CONOPs procedures, etc.
Organization of Information Security Management Support Management must also recognize its own responsibility for information security by communicating this fact both in written and oral means
Organization of Information Security It is within management’s purview to ensure that the goals for the security of organization information are established through strategic and tactical planning maintained, emphasized, and measured
Organization of Information Security Management must act to ensure the organization has a mechanism for creating an information security policy that facilitates goal achievement
Organization of Information Security Management must ensure: the approved information security policy is properly implemented and consequently must take action to ensure that it has a mechanism for monitoring implementation activities for effectiveness
Organization of Information Security Organizational management must render appropriate direction and support for initiatives relating to its information security program
Organization of Information Security awareness campaign rollout of a new security strategy introduction of a new security process or solution Through such efforts, management can promote and foster a culture of security
Organization of Information Security The security of organization information requires a multidisciplinary approach involving: all organizational elements personnel
engage expertise available within the organization to include: the general counsel public affairs facility security and engineering personnel security union management human resources Training Contracting Finance internal audit information technology operations system development capital planning Insurance enterprise architecture Privacy and records management Organization of Information Security
The objective of cross-organization coordination should be collaboration and cooperation. Organization of Information Security
Contact with Authorities Contact with Special Interest Groups Management Authorization Confidentiality Agreements External Parties Assessment of External Risks
Volgende week: Cryptology