1. TEL2813/IS2820 Security Management
Lecture 1
Jan 10, 2006

2. Contact James Joshi 706A, IS Building Phone: 412-624-9982
Web: /~jjoshi/TELCOM2813/Spring2005/
Office Hours: Wednesdays: 1.00 – 3.00 p.m. or By appointments
GSA: will be announced later

3. Course objective
The course is aimed at imparting knowledge and skill sets required to assume the overall responsibilities of administration and management of security of an enterprise information system.

4. Course objective After the course, ability to to carry out
detailed analysis of enterprise security by performing various types of analysis
vulnerability analysis, penetration testing,
audit trail analysis,
system and network monitoring, and
Configuration management, etc.
Carry out the task of security risk management using various practical and theoretical tools.

5. Course objective After the course, ability to carry out
Design detailed enterprise wide security plans and policies, and deploy appropriate safeguards (models, mechanisms and tools) at all the levels due consideration to
the life-cycle of the enterprise information systems and networks,
legal and social environment
Be able to certify products according to IA standards (Common Criteria Evaluations)

6. Course content Introduction to Security Management
Security policies/models/mechanisms
Security Management Principles, Models and Practices
Security Planning/ Asset Protection
Security Programs and Disaster Recovery Plans
Standards and Security Certification Issues
Rainbow Series, Common Criteria
Security Certification Process
National/International Security Laws and Ethical Issues
Security Analysis and Safeguards
Vulnerability analysis (Tools & Tech.)
Penetration testing
Risk Management
Protection Mechanisms and Incident handling
Access Control and Authentication architecture
Configuration Management
Auditing systems audit trail analysis
Network defense and countermeasures
Intrusion Detection Systems (SNORT)
Architectural configurations and survivability
Firewall configurations
Virtual private networks
Computer and network forensic
Privacy Protection
Case studies on OS and application software (e.g., SELinux, Unix and Windows Security)

7. Course Material Recommended course material
Management of Information Security, M. E. Whitman, H. J. Mattord
Guide to Disaster Recovery, M. Erbschilde
Guide to Network Defense and Countermeasures, G. Holden
Real Digital Forensics: Computer Security and Incident Response, 1/e; Keith J. Jones, Richard Bejtlich, Curtis W. Rose
Computer Security: Art and Science, Matt Bishop (ISBN: ), Addison-Wesley 2003
Security in Computing, 2nd Edition, Charles P. Pfleeger, Prentice Hall
A list of papers will be provided

8. Tentative Grading Assignments (50%) Exams 20% Project 30%
Homework/Quiz/Paper review/Class Participation/Seminar attendance 40%
One/two presentation 10%
Exams 20%
Project 30%

9. Course Policies Your work MUST be your own Homework
Zero tolerance for cheating/plagiarism
You get an F for the course if you cheat in anything however small – NO DISCUSSION
Discussing the problem is encouraged
Homework
Penalty for late assignments (15% each day)
Ensure clarity in your answers – no credit will be given for vague answers
Homework is primarily the GSA’s responsibility
Check webpage for everything!
You are responsible for checking the webpage for updates

10. Introduction

11. Introduction
Information technology is critical to business and society
Computer security is evolving into information security
Information security is the responsibility of every member of an organization, but managers play a critical role

12. Introduction
Information security involves three distinct communities of interest
Information security managers and professionals
Information technology managers and professionals
Non-technical business managers and professionals

13. Communities of Interest
InfoSec community:
protect information assets from threats
IT community:
support business objectives by supplying appropriate information technology
Business community:
policy and resources

14. What Is Security?
“The quality or state of being secure— to be free from danger”
Security is achieved using several strategies simultaneously
What Is Security?
Understanding the technical aspects of information security requires that you know the definitions of certain information technology terms and concepts.
In general, security is defined as “the quality or state of being secure—to be free from danger.”
Security is often achieved by means of several strategies usually undertaken simultaneously or used in combination with one another.

15. Security and Control Controls Examples Physical security
Personal security
Operations security
Communications security
Network security
Controls
Physical Controls
Technical Controls
Administrative
Prevention – Detection – Recovery
Deterrence, Corrective

16. InfoSec Components FIGURE 1-1 Components of Information Security
Information security (InfoSec) is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.
Figure 1-1 shows that information security includes the broad areas of information security management (the topic of this book), computer and data security, and network security. At the heart of the study of information security is the concept of policy (discussed in detail in Chapter 4). Policy, awareness, training, education, and technology
are vital concepts for the protection of information and for keeping information systems from danger.

17. CIA Triangle The C.I.A. triangle is made up of
Confidentiality
Integrity
Availability
Over time the list of characteristics has expanded, but these three remain central
CNSS model is based on CIA

18. NSTISSC Security Model (4011)
Figure 1-2 NSTISSC Security Model
The NSTISSC security model, as shown in Figure 1-2, illustrates three dimensions central to the discussion of information security. If we extend the relationship among the three dimensions represented by the axes, we end up with a 3 × 3 × 3 cube with 27 cells. Each of these cells represents an area of intersection among these three dimensions that must be addressed to secure information systems. When using this model to design or review any information security program, you must make sure that each of the 27 cells is properly addressed by each of the three communities of interest.

19. Key Concepts: Confidentiality
only those with sufficient privileges may access certain information
Confidentiality model
Bell-LaPadula
No write down & No read up
TCSEC/TNI (Orange, Red Book)
Some threats
Hackers
Masqueraders
Unauthorized users
Unprotected download of files
LANS
Trojan horses

20. Key Concepts: Integrity
Integrity is the quality or state of being whole, complete, and uncorrupted
Integrity model
Biba/low water mark
No write up & No read down
Clark-Wilson
Separation of duty
Lipner
Other issues
Origin integrity
Data integrity

21. Key Concepts: Availability
making information accessible to user access without interference or obstruction
Survivability
Ensuring availability in presence of attacks

22. Key Concepts: privacy Privacy
Information is to be used only for purposes known to the data owner
This does not focus on freedom from observation, but rather that information will be used only in ways known to the owner

23. Key Concepts: Identification
Information systems possess the characteristic of identification when they are able to recognize individual users
Identification and authentication are essential to establishing the level of access or authorization that an individual is granted

24. Key Concepts: Authentication & Authorization
Authentication occurs when a control provides proof that a user possesses the identity that he or she claims
Authorization
authorization provides assurance that the user has been specifically and explicitly authorized by the proper authority to access the contents of an information asset

25. Key Concepts: Accountability; Assurance
The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process
Assurance
Assurance that all security objectives are met

26. What Is Management?
A process of achieving objectives using a given set of resources
To manage the information security process, first understand core principles of management
A manager is
“someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals”

27. Managerial Roles
Informational role: Collecting, processing, and using information to achieve the objective
Interpersonal role: Interacting with superiors, subordinates, outside stakeholders, and other
Decisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges

28. Differences Between Leadership and Management
The leader influences employees so that they are willing to accomplish objectives
He or she is expected to lead by example and demonstrate personal traits that instill a desire in others to follow
Leadership provides purpose, direction, and motivation to those that follow
A manager administers the resources of the organization, budgets, authorizes expenditure

29. Characteristics of a Leader
Bearing
Courage
Decisiveness
Dependability
Endurance
Enthusiasm
Initiative
Integrity
Judgment
Justice
Knowledge
Loyalty
Tact
Unselfishness
Characteristics of a Leader What makes a good leader?
Bearing
Courage
Decisiveness
Dependability
Endurance
Enthusiasm
Initiative Integrity
Judgment
Justice
Knowledge
Loyalty
Tact
Unselfishness
Used by US military

30. What Makes a Good Leader? Action plan
Know yourself and seek self-improvement
Be technically and tactically proficient
Seek responsibility and take responsibility for your actions
Make sound and timely decisions
Set the example
Know your [subordinates] and look out for their well-being
Keep your subordinates informed
Develop a sense of responsibility in your subordinates
Ensure the task is understood, supervised, and accomplished
Build the team
Employ your team in accordance with its capabilities
Action plan for improvement of leadership abilities:
Know yourself and seek self-improvement.
Be technically and tactically proficient.
Seek responsibility and take responsibility for your actions.
Make sound and timely decisions.
Set the example.
Know your [subordinates] and look out for their well-being.
Keep your subordinates informed.
Develop a sense of responsibility in your subordinates.
Ensure the task is understood, supervised, and accomplished.
Build the team.
Employ your [team] in accordance with its capabilities.

31. Leadership quality and types
A leader must:
BE a person of strong and honorable character
KNOW you, the details of your situation, the standards to which you work, human nature, and your team
DO by providing purpose, direction, and motivation to your team
Three basic behavioral types of leaders:
Autocratic
Democratic
Laissez-faire

32. Characteristics of Management
Two well-known approaches to management:
Traditional management theory using principles of planning, organizing, staffing, directing, and controlling (POSDC)
Popular management theory using principles of management into planning, organizing, leading, and controlling (POLC)

33. The Planning–Controlling Link
Figure 1-3 The Planning–Controlling Link
The management of tasks leading to the accomplishment of any objective requires certain basic skills. These skills are referred to as management characteristics, functions, principles, or responsibilities. Two basic approaches to management exist:
■ Traditional management theory uses the core principles of planning, organizing, staffing, directing, and controlling (POSDC).
■ Popular management theory categorizes the principles of management into planning, organizing, leading, and controlling (POLC).
The text uses POLC to examine the skills that managers must employ when dealing with tasks. Figure 1-3 shows an overview of these elements and illustrates how the elements are conceptually related.

34. Planning & Organization
Planning: process that develops, creates, and implements strategies for the accomplishment of objectives
Three levels of planning
Strategic
Tactical
Operational
Organization: structuring of resources to support the accomplishment of objectives

35. Leadership Encourages the implementation of
the planning and organizing functions,
Includes supervising employee behavior, performance, attendance, and attitude
Leadership generally addresses the direction and motivation of the human resource

36. Control
Control:
Monitoring progress toward completion
Making necessary adjustments to achieve the desired objectives
Controlling function determines what must be monitored as well as using specific control tools to gather and evaluate information

37. Control Tools Four categories: Information Financial Operational
Information flows/ communications
Financial
Guide use of monetary resources (ROI,CBA,..)
Operational
PERT, Gantt, process flow
Behavioral
Human resources

38. The Control Process
Figure 1-4 The Control Process
Each of the management behavior tool categories relies on the use of negative feedback. They all use performance measurements, comparison, and corrective action, an approach that is illustrated as a control process in Figure 1-4.

39. Solving Problems Step 1: Recognize and Define the Problem
Step 2: Gather Facts and Make Assumptions
Step 3: Develop Possible Solutions (Brainstorming)
Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis)
Step 5: Select, Implement, and Evaluate a Solution

40. Feasibility Analyses
Economic feasibility assesses costs and benefits of a solution
Technological feasibility assesses an organization’s ability to acquire and manage a solution
Behavioral feasibility assesses whether members of the organization will support a solution
Operational feasibility assesses if an organization can integrate a solution

41. Principles Of Information Security Management
The extended characteristics of information security are known as the six Ps:
Planning
Policy
Programs
Protection
People
Project Management

42. InfoSec Planning Planning as part of InfoSec management
is an extension of the basic planning model discussed earlier
Included in the InfoSec planning model are
activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment

43. InfoSec Planning Types
Several types of InfoSec plans exist:
Incident response
Business continuity
Disaster recovery
Policy
Personnel
Technology rollout
Risk management and
Security program including education, training and awareness

44. Policy
Policy: set of organizational guidelines that dictates certain behavior within the organization
In InfoSec, there are three general categories of policy:
General program policy (Enterprise Security Policy)
An issue-specific security policy (ISSP)
E.g., , Intenert use
System-specific policies (SSSPs)
E.g., Access control list (ACLs) for a device

45. Programs Programs are operations managed as
specific entities in the information security domain
Example:
A security education training and awareness (SETA) program is one such entity
Other programs that may emerge include
a physical security program, complete with fire, physical access, gates, guards, and so on

46. Protection Risk management activities, including
risk assessment and control, &
Protection mechanisms, technologies & tools
Each of these mechanisms represents some aspect of the management of specific controls in the overall security plan

47. People
People are the most critical link in the information security program
Human firewall
It is imperative that managers continuously recognize the crucial role that people play; includes
information security personnel and the security of personnel, as well as aspects of the SETA program

48. Project Management
Project management discipline should be present throughout all elements of the information security program
Involves
Identifying and controlling the resources applied to the project
Measuring progress and adjusting the process as progress is made toward the goal

50. Security Planning

51. Introduction Successful organizations utilize planning
Planning involves:
Employees
Management
Stockholders
Other outside stakeholders
Physical environment
Political and legal environment
Competitive environment
Technological environment

52. Introduction Strategic planning includes:
Vision statement
Mission statement
Strategy
Coordinated plans for sub units
Knowing how the general organizational planning process works helps in the information security planning process

53. Introduction Planning: Top-down method:
Is creating action steps toward goals, and then controlling them
Provides direction for the organization’s future
Top-down method:
Organization’s leaders choose the direction
Planning begins with the general and ends with the specific

54. Information Security Planning
In this textbook, the planning process is broken into two chapters – one on business planning (in general and specific to information security) and one on preparedness planning, also called contingency planning.

55. Components Of Planning: Mission Statement
Declares the business of the organization and its intended areas of operations
Explains what the organization does and for whom
Example:
Random Widget Works, Inc. designs and manufactures quality widgets, associated equipment and supplies for use in modern business environments
CSSD

56. Components Of Planning: Vision Statement
Expresses what the organization wants to become
Should be ambitious
Example:
Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use

57. Components Of Planning: Values
By establishing organizational principles in a values statement, an organization makes its conduct standards clear
Example:
RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments.
The mission, vision, and values statements together provide the foundation for planning

58. Components Of Planning: Strategy
Strategy is the basis for long-term direction
Strategic planning:
Guides organizational efforts
Focuses resources on clearly defined goals
“… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.”

59. Strategic Planning

60. Strategic Planning Organization: Each level of division
Develops a general strategy
Creates specific strategic plans for major divisions
Each level of division
translates those objectives into more specific objectives for the level below
In order to execute this broad strategy,
executives must define individual managerial responsibilities

61. Planning for the Organization

62. Strategic Planning Strategic goals are then translated
into tasks with specific, measurable, achievable, reasonably high and time-bound objectives (SMART)
Strategic planning
then begins a transformation from general to specific objectives

63. Planning Levels

64. Planning levels Tactical Planning
Shorter focus than strategic planning
Usually one to three years
Breaks applicable strategic goals into a series of incremental objectives

65. Planning levels Operational Planning
Used by managers and employees to organize the ongoing, day-to-day performance of tasks
Includes clearly identified coordination activities across department boundaries such as:
Communications requirements
Weekly meetings
Summaries
Progress reports

66. Typical Strategic Plan Elements
Introduction by senior executive (President/CEO)
Executive Summary
Mission Statement and Vision Statement
Organizational Profile and History
Strategic Issues and Core Values
Program Goals and Objectives
Management/Operations Goals and Objectives
Appendices (optional)
Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets &etc

67. Tips For Planning
Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference
Embrace the use of balanced scorecard approach
Deploy a draft high level plan early, and ask for input from stakeholders in the organization
Make the evolving plan visible

68. Tips For Planning Make the process invigorating for everyone
Be persistent
Make the process continuous
Provide meaning
Be yourself
Lighten up and have some fun

69. Planning For Information Security Implementation
The CIO and CISO play important roles
in translating overall strategic planning into tactical and operational information security plans
CISO plays a more active role
in the development of the planning details than does the CIO

70. CISO Job Description
Creates strategic information security plan with a vision for the future of information security at Company X…
Understands fundamental business activities performed by Company X
Based on this understanding, suggests appropriate information security solutions that uniquely protect these activities…
Develops action plans, schedules, budgets, status reports and other top management communications intended to improve the status of information security at Company X…

71. Planning for InfoSec
Once plan has been translated into IT and information security objectives and tactical and operational plans for information security, implementation can begin
Implementation of information security can be accomplished in two ways:
Bottom-up OR
Top-down

72. Approaches to Security Implementation
Bottom-Up Planning
The bottom-up approach can begin as a grass-roots effort in which systems administrators attempt to improve the security of their systems.
The key advantage to this approach is the technical expertise of the individual administrators, since they work with information systems on a daily basis.
Unfortunately, this approach seldom works, as it lacks a number of critical features, such as coordinated planning from upper management, coordination between departments, and the provision of sufficient resources.
Top-Down Planning
The top-down approach, in contrast, has strong upper management support, a dedicated champion, usually assured funding, a clear planning and implementation process, and the ability to influence organizational culture.
High-level managers provide resources, give direction, issue policies, procedures and processes, dictate the goals and expected outcomes of the project, and determine who is accountable for each of the required actions.
The most successful top-down approach also involves a formal development strategy referred to as the systems development life cycle.
Involvement and support of the end users is also critical to the success of this type of effort.

73. The Systems Development Life Cycle (SDLC)
SDLC: methodology for the design and implementation of an information system
SDLC-based projects may be initiated by events or planned
At the end of each phase, a review occurs when reviewers determine if the project should be continued, discontinued, outsourced, or postponed

74. Phases of An SDLC

75. Investigation Identifies problem to be solved
Begins with the objectives, constraints, and scope of the project
A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate costs for those benefits

76. Analysis Begins with information from the Investigation phase
Assesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed system(s)
Analysts determine what the new system is expected to do, and how it will interact with existing systems

77. Logical Design
Information obtained from analysis phase is used to create a proposed solution for the problem
A system and/or application is selected based on the business need
The logical design is the implementation independent blueprint for the desired solution

78. Physical Design
During the physical design phase, the team selects specific technologies
The selected components are evaluated further as a make-or-buy decision
A final design is chosen that optimally integrates required components

79. Implementation
Develop any software that is not purchased, and create integration capability
Customized elements are tested and documented
Users are trained and supporting documentation is created
Once all components have been tested individually, they are installed and tested as a whole

80. Maintenance
Tasks necessary to support and modify the system for the remainder of its useful life
System is tested periodically for compliance with specifications
Feasibility of continuance versus discontinuance is evaluated
Upgrades, updates, and patches are managed
When current system can no longer support the mission of the organization, it is terminated and a new systems development project is undertaken

81. The Security SDLC
May differ in several specifics, but overall methodology is similar to the SDLC
SecSDLC process involves:
Identification of specific threats and the risks that they represent
Subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk those threats pose to the organization

82. Investigation in the SecSDLC
Often begins as directive from management specifying the process, outcomes, and goals of the project and its budget
Frequently begins with the affirmation or creation of security policies
Teams assembled to analyze problems, define scope, specify goals and identify constraints
Feasibility analysis determines whether the organization has resources and commitment to conduct a successful security analysis and design

83. Analysis in the SecSDLC
A preliminary analysis of existing security policies or programs is prepared along with known threats and current controls
Includes an analysis of relevant legal issues that could affect the design of the security solution
Risk management begins in this stage

84. Risk Management
Risk Management: process of identifying, assessing, and evaluating the levels of risk facing the organization
Specifically the threats to the information stored and processed by the organization
To better understand the analysis phase of the SecSDLC, you should know something about the kinds of threats facing organizations
In this context, a threat is an object, person, or other entity that represents a constant danger to an asset

85. Key Terms
Attack: deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
Accomplished by a threat agent that damages or steals an organization’s information or physical asset
Exploit: technique or mechanism used to compromise a system
Vulnerability: identified weakness of a controlled system in which necessary controls are not present or are no longer effective

86. Threats to Information Security

87. Some Common Attacks Malicious code Hoaxes Back doors Password crack
Brute force
Dictionary
Denial-of-service (DoS) and distributed denial-of-service (DDoS)
Spoofing
Man-in-the-middle
Spam
Mail bombing
Sniffer
Social engineering
Buffer overflow
Timing

88. Risk Management
Use some method of prioritizing risk posed by each category of threat and its related methods of attack
To manage risk, you must identify and assess the value of your information assets
Risk assessment assigns comparative risk rating or score to each specific information asset
Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system

89. Design in the SecSDLC
Design phase actually consists of two distinct phases:
Logical design phase: team members create and develop a blueprint for security, and examine and implement key policies
Physical design phase: team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design

90. Security Models
Security managers often use established security models to guide the design process
Security models provide frameworks for ensuring that all areas of security are addressed
Organizations can adapt or adopt a framework to meet their own information security needs

91. Policy
A critical design element of the information security program is the information security policy
Management must define three types of security policy:
General or security program policy
Issue-specific security policies
Systems-specific security policies

92. SETA An integral part of the InfoSec program is
Security education and training (SETA) program
SETA program consists of three elements:
security education, security training, and security awareness
Purpose of SETA is to enhance security by:
Improving awareness
Developing skills and knowledge
Building in-depth knowledge

93. Design
Attention turns to the design of the controls and safeguards used to protect information from attacks by threats
Three categories of controls:
Managerial
Operational
Technical

94. Managerial Controls Address design/implementation of the
security planning process and
security program management
Management controls also address:
Risk management
Security control reviews

95. Operational Controls
Cover management functions and lower level planning including:
Disaster recovery
Incident response planning
Operational controls also address:
Personnel security
Physical security
Protection of production inputs and outputs

96. Technical Controls
Address those tactical and technical issues related to
designing and implementing security in the organization
Technologies necessary to protect information are examined and selected

97. Contingency Planning
Essential preparedness documents provide contingency planning (CP) to prepare, react and recover from circumstances that threaten the organization:
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)

98. Physical Security Physical Securityaddresses
the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization
Physical resources include:
People
Hardware
Supporting information system elements

99. Implementation in the SecSDLC
Security solutions are acquired, tested, implemented, and tested again
Personnel issues are evaluated and specific training and education programs conducted
Perhaps most important element of implementation phase is management of project plan:
Planning the project
Supervising tasks and action steps within the project
Wrapping up the project

100. InfoSec Project Team
Should consist of individuals experienced in one or multiple technical and non-technical areas including:
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

101. Staffing the InfoSec Function
Each organization should examine the options for staffing of the information security function
Decide how to position and name the security function
Plan for proper staffing of information security function
Understand impact of information security across every role in IT
Integrate solid information security concepts into personnel management practices of the organization

102. InfoSec Professionals
It takes a wide range of professionals to support a diverse information security program:
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Security Managers
Security Technicians
Data Owners
Data Custodians
Data Users

103. Certifications
Many organizations seek professional certification so that they can more easily identify the proficiency of job applicants:
CISSP
SSCP
GIAC
SCP
ICSA
Security +
CISM

104. Maintenance and Change in the SecSDLC
Once information security program is implemented,
it must be properly operated, managed, and kept up to date by means of established procedures
If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again

105. Maintenance Model
While a systems management model is designed to manage and operate systems, a maintenance model is intended to focus organizational effort on system maintenance:
External monitoring
Internal monitoring
Planning and risk assessment
Vulnerability assessment and remediation
Readiness and review
Vulnerability assessment

107. ISO Management Model
One issue planned in the SecSDLC is the systems management model
ISO network management model - five areas:
Fault management
Configuration and name management
Accounting management
Performance management
Security management

108. Security Management Model
Fault Management involves identifying and addressing faults
Configuration and Change Management involve administration of components involved in the security program and administration of changes
Accounting and Auditing Management involves chargeback accounting and systems monitoring
Performance Management determines if security systems are effectively doing the job for which they were implemented

109. Security Program Management
Once an information security program is functional, it must be operated and managed
In order to assist in the actual management of information security programs, a formal management standard can provide some insight into the processes and procedures needed
This could be based on the BS7799/ISO17799 model or the NIST models described earlier