Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition.

Similar presentations


Presentation on theme: "MANAGEMENT of INFORMATION SECURITY, Fifth Edition."— Presentation transcript:

1 MANAGEMENT of INFORMATION SECURITY, Fifth Edition

2 INTRODUCTION TO PERSONNEL AND SECURITY 2 Management of Information Security, 5th Edition, © Cengage Learning

3 Introduction to Personnel and Security Maintaining a secure environment requires that the InfoSec department be carefully structured and staffed with appropriately with appropriately skilled and screened personnel It also requires that the proper procedures be integrated into all human resources activities, including hiring, training, promotion, and termination practices 3 Management of Information Security, 5th Edition, © Cengage Learning

4 Staffing the Security Function Selecting an effective mix of information security personnel requires that you consider a number of criteria; some are within the control of the organization, and others are not In general, when the demand for personnel with critical information security technical or managerial skills rises quickly, the initial supply often fails to meet it As demand becomes known, professionals enter the job market or refocus their job skills to gain the required skills, experience, and credentials 4 Management of Information Security, 5th Edition, © Cengage Learning

5 Qualifications and Requirements To move the InfoSec discipline forward: – The general management community of interest should learn more about the requirements and qualifications for both information security positions and relevant IT positions – Upper management should learn more about information security budgetary and personnel needs – The IT and general management communities of interest must grant the information security function (and CISO) an appropriate level of influence and prestige 5 Management of Information Security, 5th Edition, © Cengage Learning

6 Qualifications and Requirements When hiring InfoSec staff at all levels, organizations frequently look for individuals who: – Understand how organizations are structured and operated – Recognize that InfoSec is a management task that cannot be handled with technology alone – Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills – Acknowledge the role of policy in guiding security efforts – Understand the essential role of information security education and training, which helps make users part of the solution, rather than part of the problem 6 Management of Information Security, 5th Edition, © Cengage Learning

7 Qualifications and Requirements When hiring InfoSec staff at all levels, organizations frequently look for individuals who (continued): – Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks – Understand how technical controls can be applied to solve specific information security problems – Demonstrate familiarity with the mainstream information technologies, including Disk Operating System (DOS), Windows, Linux, and UNIX OS’s – Understand IT and InfoSec terminology and concepts 7 Management of Information Security, 4th Edition, © Cengage Learning

8 Information Security Positions Information security positions can be classified into one of three areas: those that define, those that build, and those that administer – Definers provide the policies, guidelines, and standards The people who do the consulting and the risk assessment, and develop the product and technical architectures Senior people with a broad knowledge, but not a lot of depth – Builders are the real techies, who create and install security solutions – Administrators are the people who operate and administer the security tools, the security monitoring function, and the people who continuously improve the processes This is where all the day-to-day, hard work is done 8 Management of Information Security, 5th Edition, © Cengage Learning

9 Possible Information Security Positions & Reporting Relationships 9 Management of Information Security, 5th Edition, © Cengage Learning

10 Chief Information Security Officer (CISO) The CISO is typically considered the top information security officer in the organization, although the CISO is usually not an executive- level position and frequently reports to the CIO, unless the organization employs as CSO Although these individuals are business managers first and technologists second, they must be conversant in all areas of information security, including technology, planning, and policy 10 Management of Information Security, 5th Edition, © Cengage Learning

11 CISO: Qualifications and Position Requirements The most common qualifications for the CISO include the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM) A graduate degree in business, technology, criminal justice, or another related field is usually required as well A candidate for this position should have experience in security management, as well as in planning, policy, and budgets 11 Management of Information Security, 5th Edition, © Cengage Learning

12 CISO: Qualifications and Position Requirements In addition to taking on these roles and responsibilities, CISOs should practice the following key principles to shape their career: – Practice business engagement - Build professional relationships with key stakeholders in the organization – Focus initiatives on what is learned - Knowledge gained becomes a tool in developing and prioritizing efforts for the InfoSec department – Align, target, and time initiatives – Convey resource availability and constraints to the organization to maintain support and confidence. – Deliver services - Maintain a professional “sales and service” perspective to enhance the organization’s opinion of the InfoSec department’s value – Establish and maintain credibility - Promote the value of the InfoSec department, its skill, expertise and quality of efforts – Manage relationships - Understand the decision makers in the organization and cultivate professional relationships with them 12 Management of Information Security, 5th Edition, © Cengage Learning

13 Security Manager A security manager is accountable for the day-to-day operation of all or part of the InfoSec program They accomplish objectives identified by the CISO and resolve issues identified by the technicians Security managers are often assigned specific managerial duties by the CISO, including policy development, risk assessment, contingency planning, and operational and tactical planning for the security function Management of technology requires an understanding of the technology that is administered but not necessarily proficiency in its configuration, operation, or fault resolution 13 Management of Information Security, 5th Edition, © Cengage Learning

14 Security Manager: Qualifications and Position Requirements It is not uncommon for a security manager to have a CISSP or CISM These individuals must have experience in traditional business activities, including budgeting, project management, personnel management, and hiring and firing They must be able to draft middle- and lower- level policies, as well as standards and guidelines Several types of information security managers exist, and the people who fill these roles tend to be much more specialized than CISOs 14 Management of Information Security, 5th Edition, © Cengage Learning

15 Security Technician A Security technician is a technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented The role of security technician is a typical information security entry-level position, albeit a technical one Like network technicians, security technicians tend to be specialized, focusing on one major security technology group and then further specializing in a particular software or hardware package within the group 15 Management of Information Security, 5th Edition, © Cengage Learning

16 Security Technician: Qualifications and Position Requirements The technical qualifications and position requirements for a security technician vary Organizations typically prefer expert, certified, proficient technicians Job requirements usually include some level of experience with a particular hardware and software package Sometimes familiarity with a particular technology is enough to secure an applicant an interview; however, experience using the technology is usually required 16 Management of Information Security, 5th Edition, © Cengage Learning


Download ppt "MANAGEMENT of INFORMATION SECURITY, Fifth Edition."

Similar presentations


Ads by Google