Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Published byHolly Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey."— Presentation transcript:

1 Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey

2 Getting folks on-board CEO Board of Directors All Business Units  Leverage Applicable Laws to your Industry

3 Security Infrastructure includes Policies, Standards, Baselines, Guidelines, Procedures, Plans and Programs. This infrastructure supports all security components including: Security awareness Both disaster and business recovery Risk assessment, and IT security

4 Policies Established to express conceptual information security organizational goals in the Information Security Program. Information Security Program “Best Practices” which, once established, sets the foundation of a proven program to protect the availability, integrity, and privacy of controlled assets.

5 Standards Established to support implementation of Information Security Policy. Standards can address: Personnel security Employee conduct Data classification Data labeling Data handling Data transmission Data encryption VPNs Asset management Physical security Data routing Data recovery Access control Firewall standard Network security Network application Data switching Logging Alarms Security maintenance

6 Baselines Established to ensure a specific set of security requirements that all systems must meet or exceed. Information Technology Security Evaluation Criteria (ITSEC) Trusted Computer Security Evaluation Criteria (TCSEC) Common Criteria for Information Technology Security Evaluation (CCITT)

7 Guidelines Established to formalize adoption of information security best practices. Guidelines can address: Access control Data protection Router configuration Organizational security

8 Procedures Established to detail information security implementation in support of relevant standards and policies. Procedures can address: Alarm Security maintenance Terminal server add/modify/delete Password/shared secret change Firewall setup Incident response Risk management Backup/Restore System user add/delete/modify Customer provisioning Equipment maintenance Asset control

9 Plans/Programs Established to meet information security goals. Plans and programs can address: Information security awareness Cybersecurity and Terrorism Change control Incident response Intrusion detection Business continuity Acceptance test

10 Components of an Information Security Program 1. Chief Information Security Officer, CISO 2. Information Security Advisory Committee, ISAC 3. Information Security Policies 4. Information Security Awareness, Training and Education (SATE) 5. Information Identification and Classification 6. Information Risk Assessment 7. Implementation of Information Security Controls 8. Monitor Effectiveness and Assurance 9. Business Continuity and Disaster Recovery

11 Chief Information Security Officer (CISO) Purpose  develop organization-wide policies  assist business units in the development of procedures  administer the organization-wide Information Security Program Attributes  direct reporting method to the CEO regardless of where they report administratively  not subjected to business unit budget constraints or cutbacks.

12 Information Security Advisory Committee (ISAC) Purpose  review and update Information Security Program and Policies  ensures policies enable business units to accomplish their business objectives.  keeps information security policies in line with business goals  provides cross-organizational involvement

13 Information Security Advisory Committee (ISAC) cont. Members  CISO  Business Unit Representatives also act as Business Unit information security champions work with all managers  ensure files and databases have designated owners  coordinate requests for user IDs and data access  Coordinate SATE within their Business Unit  help develop unique specific policies and procedures

14 Information Security Policies Purpose  set forth information security policy objectives  high-level guidance or vision directing the organization  cornerstone for managing and controlling assets Attributes  identify informational assets  define who is responsible for classifying and valuing assets  defines who must comply  describes employee role in protection and recovery  provide for monitoring and enforcement

15 Information Security Policies cont. Characteristics  short, easy to read, and not incorporate technical terms  protect people, the facilities, as well as data

16 Information Security Awareness, Training and Education (SATE) Purpose  means of ensuring employee understanding and/or recognition of responsibilities Elements  signed personnel agreement include the protection of assets as a condition of employment  security login banners  training  posters  contests

17 Information Identification and Classification Purpose  standards and procedures by which information resources are managed and accessed. identify and classify information  both collected and maintained by the information owner and custodian(s) based on information content sensitivity and importance. Methodology  Categorize content E.G. Medical Records, Project Data, Fiscal Budget, etc.  Classify based on categories.

18 Information Identification and Classification cont. Classification scheme  helps employees determine – owner defined adequate and appropriate procedures associated access controls for information protection and distribution based upon Federal, State, or Local laws and jurisdictions

19 Information Risk Assessment Purpose  quantify the benefits of an Information Security Program as a function of cost  policies are needed to reduce risk, and risk analysis is used to justify security policies and technologies Concepts  Risk: anything that could potentially cause harm operations, assets, or organization profitability/legal requirements

20 Information Risk Assessment cont.  Risk Analysis: formal process of determining what your informational assets are worth threat/exposures due to vulnerabilities potential harm if the identified vulnerabilities are exploited.  Result: cost vs. benefit analysis cost to implement fixes, mitigate risk, or increase protection cost of the asset's loss.

21 Implementation of Information Security Controls Purpose  defines roles in developing and implementing information security Roles  Board of Directors Protect and ensure for continuity of the Organization  Administrators and Business Unit Directors Protect and ensure for prosperity of their departments  Managers Maintain information as a strategic asset

22 Implementation of Information Security Controls cont.  Chief Information Security Officer Ensure written policies are developed and implemented  Internal Information Systems Auditor Ensure that information security policies are followed  System Administrators, Technicians and Installers Ensure technology assets are configured in a secure manner  Users Ultimate responsibility for appropriate use of information

23 Monitor Effectiveness and Assurance Purpose  assess the measures that have been implemented  ensure information security goals are being met Attributes  collect information from processes that measure effectiveness  independent review and evaluation  requires separation of duties

24 Business Continuity and Disaster Recovery Purpose  ensure the organization can resume business processing in the event of a disaster Concepts  Contingency Plans (Business Continuity Plans) address the business side of departments facilities, personal, procedures, forms and supplies  Disaster Recovery Plans (Operational Recovery Plans) address recovery of information technology assets computers, storage, electronic communications and data

25 Business Continuity and Disaster Recovery cont. Attributes  Identification of applications and systems in priority order operating systems, utilities, programs, and data documentation  Preparation of crucial aspects off-site storage facility procedures testing and validation

26 Summary Executive sponsorship and support are essential Needed to help safeguard assets  both logical and physical assets Foundation to ensure availability, integrity and confidentiality of organizational controlled assets Based on industry & government ‘best practices’ Sanctioned by Industry Standards

27 Questions?

Download ppt "Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Software Quality Assurance Plan

Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
VITA [Virginia Information Technologies Agency]

VITA [Virginia Information Technologies Agency]
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

Similar presentations

Ads by Google