Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing the Security Program

Published byMerry Ross Modified over 6 years ago

Similar presentations

Presentation on theme: "Developing the Security Program"— Presentation transcript:

1 Developing the Security Program
INFORMATION SECURITY MANAGEMENT Lecture 5: Developing the Security Program You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Introduction: Information Security Program
Information security program is used to describe the structure and organization of the effort that contains risks to the information assets of the organization UNCW Info Security Program

3 Organizing for Security
Variables involved in structuring an information security program Culture Budgets Size As organizations increase in size, their security departments are not keeping up with increasingly complex organizational infrastructures

4 Does Size Matter? :Approaches to Programs
Larger Organization Medium Sized Organization Small Business

5 Security: Very Large Organizations
Security budgets often grow faster than IT budgets Even with a large budget, the average amount spent on security per user is still smaller than any other type of organization

6 Security: Large Organizations
Security approach has often matured, integrating planning and policy into the organization’s culture One approach separates functions into four areas: Non-technology business units outside of IT IT groups outside of information security area Information Security Dept. (customer service) Information Security Dept. (compliance)

7 Security: Large Organizations (cont’d.)
The CISO has responsibility for information security functions The deployment of full-time security personnel depends on: Sensitivity of the information to be protected Industry regulations General profitability Budgetary Constraints

8 Security: Medium-Sized Organizations
May be large enough to implement a multi-tiered approach to security Tend to ignore some security functions

9 Security: Small Organizations
Simple, centralized IT organizational model Spend disproportionately more on security Formal policy, planning, or security measures Commonly outsource functions Threats from insiders are less likely Every employee knows every other employee

10 Components of the Security Program
Organization’s information security needs Unique to the culture, size, and budget of the organization Determining what level the information security program operates on depends on the organization’s strategic plan Also the plan’s vision and mission statements The CIO and CISO should use these two documents to formulate the mission statement for the information security program

11 Information Security Roles and Titles
Types of information security positions Those that define Those that build Those that administer A typical organization has a number of individuals with information security responsibilities

12 Information Security Roles and Titles (cont’d.)
While the titles used may be different, most of the job functions fit into one of the following: Chief Information Security Officer (CISO) or Chief Security Officer (CSO) Security managers Security administrators and analysts Security technicians Security staff Help Desk

13 Information Security Roles and Titles (cont’d.)

14 Implementing Security Education, Training, and Awareness Programs
SETA program Benefits Purpose: Enhance Security

15 SETA: Security Education
Employees within information security may be encouraged to seek a formal education Depth of knowledge Some organizations may refer to the certifications offered in that field

16 SETA: Security Education Developing Education Program
Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains Course design Should enable a student to obtain the required knowledge and skills upon completion of the program Identify the prerequisite knowledge for each class

17 SETA: Security Training
Involves providing detailed information and hands-on instruction Management can either develop customized training or outsource Customizing training for users: Functional Background Skill Level

18 SETA: Training Techniques
Using the wrong method can hinder the transfer of knowledge Good training programs Training is often for one or a few individuals

19 SETA: Training Techniques (cont’d.)
Selection of the training delivery method Not always based on the best outcome for the trainee Types of Delivery Methods One-on-one Computer-based training (CBT) Formal class Distance learning & web seminars On-the-job training Self-study (non-computerized) User support group Serious Games

20 SETA: Security Awareness
Less frequently implemented, but most effective security methods Security awareness programs: Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure Remind users of the procedures to be followed

21 SETA: Security Awareness (cont’d.)
Best practices: Focus on people Refrain from using technical jargon Use every available venue Define learning objectives, state them clearly, and provide sufficient detail and coverage Keep things light Don’t overload the users Help users understand their roles in InfoSec Take advantage of in-house communications media Make the awareness program formal Plan and document all actions Provide good information early, rather than perfect information late

22 SETA: Security Awareness (cont’d.)
Commandments of information security awareness training Information security is a people issue Speak their language If they cannot see it, they will not learn it Make your point, support it, and conclude it Always let the recipients know how the behavior that you request will affect them Formalize your training methodology Always be timely

23 SETA: Security Awareness (cont’d.)
Commandments of information security awareness training Information security is a people issue Speak their language If they cannot see it, they will not learn it Make your point, support it, and conclude it Always let the recipients know how the behavior that you request will affect them Formalize your training methodology Always be timely

24 SETA: Security Awareness (cont’d.)
Designed to modify any employee behavior that endangers the security of the organization’s information Effective programs make employees accountable for their actions Dissemination and enforcement of policy become easier Demonstrating due care and due diligence can help indemnify the institution against lawsuits

25 SETA: Security Awareness (cont’d.)
Awareness can take on different forms for particular audiences A security awareness program can use many methods to deliver its message Recognize that people tend to practice a tuning out process (acclimation)

26 SETA: Security Awareness (cont’d.)
Many security awareness components are available at little or no cost Others can be very expensive Examples of security awareness components Videos Another One Posters and banners Lectures and conferences Computer-based training Serious Games Nova Labs Other Games

27 Security Awareness (cont’d.)
Examples of security awareness components (cont’d.) Newsletters Brochures and flyers Trinkets (coffee cups, pens, pencils, T-shirts) Bulletin boards Management of Information Security, 3rd ed.

28 Security Awareness (cont’d.)
Professional posters can be quite expensive, so in-house development may be the best solution Security poster series A simple and inexpensive way to keep security on people’s minds Keys to a good poster series: Varying the content and keeping posters updated Keeping them simple, but visually interesting Making the message clear Providing information on reporting violations

29 Security Awareness (cont’d.)
The messages trinket programs impart will be lost unless reinforced by other means Trinket programs Inexpensive on a per-unit basis They can be expensive to distribute Types of trinkets Pens and pencils, mouse pads Coffee mugs, plastic cups Hats, T-shirts

30 Security Awareness (cont’d.)
Organizations can establish Web pages or sites dedicated to promoting information security awareness Tips on creating and maintaining an educational Web site (cont’d.) Keep page loading time to a minimum Seek feedback Assume nothing and check everything Spend time promoting your site

31 Discussion Topics Discuss the advantages and disadvantages of nesting the information security role within the information technology (IT) part of the organization. Discuss posters, trinkets, and Web sites as information security awareness methods. What are some advantages and disadvantages of each method? Which do you think is the best method and why?

32 Useful Resources Building an SETA program

33 Summary Organizing for security
Placing information security within an organization Components of the security program Information security roles and titles Implementing security education, training, and awareness programs

Download ppt "Developing the Security Program"

Similar presentations

Five -Year Strategic Title I School Plan. Session Objectives Review the five year components utilizing the rubric Organize actions steps to meet the requirements.

Five -Year Strategic Title I School Plan. Session Objectives Review the five year components utilizing the rubric Organize actions steps to meet the requirements.
© Pearson Prentice Hall 2009

© Pearson Prentice Hall 2009
Information Security Policy

Information Security Policy
Security and Personnel

Security and Personnel
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
Developing the Security Program

Developing the Security Program
3 Chapter Needs Assessment.

3 Chapter Needs Assessment.
Chapter 5 Developing the Security Program

Chapter 5 Developing the Security Program
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Developing the Security Program

Developing the Security Program
Developing the Security Program

Developing the Security Program
Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.

Management of Information Security Chapter 5 Developing the Security Program We trained hard ... but every time we formed up teams we would be reorganized.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Implementing Security Education, Training, and Awareness Programs

Implementing Security Education, Training, and Awareness Programs
Developing the Security Program. Objectives Upon completion of this material you should be able to: –Explain the organizational approaches to information.

Developing the Security Program. Objectives Upon completion of this material you should be able to: –Explain the organizational approaches to information.
Training and Developing a Competitive Workforce 17/04/2013.

Training and Developing a Competitive Workforce 17/04/2013.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Chapter 9 The People in Information Systems. Learning Objectives Upon successful completion of this chapter, you will be able to: Describe each of the.

Chapter 9 The People in Information Systems. Learning Objectives Upon successful completion of this chapter, you will be able to: Describe each of the.
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.

Similar presentations

Ads by Google