Download presentation
Presentation is loading. Please wait.
1
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
2
Outline and Review Introduction to Information Security
CIA Triangle and Extensions Principles of Information Security Management Planning for Information Security
3
Principles of Information Security Mgmt
Include the following characteristics that will be the focus of the current course (six P’s): Planning Policy Programs Protection People Project Management Chapters 2 & 3
4
Information Security Planning
Figure 2-1 Information Security and Planning Source: Course Technology/Cengage Learning
5
The Role of Planning Successful organizations utilize planning
Planning involves Employees Management Stockholders Other outside stakeholders The physical and technological environment The political and legal environment The competitive environment
6
The Role of Planning (cont’d.)
Strategic planning includes: Vision statement Mission statement Strategy Coordinated plans for sub units
7
Precursors to Planning
Values Statement Establishes organizational principles Vision Statement What the organization wants to become Mission Statement what the organization does and for whom The values, vision, and mission statements together provide the foundation for planning
8
Strategic Planning Strategy is the basis for long-term direction
Strategic planning guides organizational efforts
9
Planning Levels Strategic goals are translated into tasks
Objectives should be SMART Strategic planning then begins a transformation from general to specific objectives
10
Planning Levels (cont’d.)
Strategic Planning Tactical Planning Operational Planning
11
Planning and the CISO Elements of a strategic plan Executive summary
Mission statement and vision statement Organizational profile and history Strategic issues and core values Program goals and objectives Management/operations goals and objectives Appendices (optional)
12
Information Security Governance
Governance of information security is a strategic planning responsibility Importance has grown in recent years Information security objectives must be addressed at the highest levels of an organization's management team To be effective and offer a sustainable approach
13
Desired Outcomes Strategic alignment Risk management
Resource management Performance measurement Value delivery
14
Implementing Information Security Governance
Figure 2-6 General Governance Framework Source: IDEAL is a service mark of Carnegie Mellon University
15
Implementing Information Security Governance (cont’d.)
Figure 2-7 The IDEAL model governance framework Source: IDEAL is a service mark of Carnegie Mellon University
16
GRC Article 1: Forrestor’s Framework
Lines of Defense Stakeholder Contributions and Expectations
17
Planning for Information Security Implementation
Source: Information Security Governance: A Call to Action
18
Planning For Information Security Implementation (
Implementation can begin After plan has been translated into IT and information security objectives and tactical and operational plans Methods of implementation Bottom-up Top-down
19
Planning For Information Security Implementation (cont’d.)
Source: Course Technology/Cengage learning
20
Article 3: Boards must act
Do boards really understand the IT security risks for their organizations? Information Governance Policy Right Policy and Framework
21
System Development Life Cycle
A methodology for the design/implementation of an information system SecSDLC methodology is similar to SDLC
22
Security Systems Development Life Cycle
Identification of specific threats and the risks they represent Design and implementation of specific controls to counter those threats and manage risks posed to the organization
23
SecSDLC: Investigation
Phase begins with directive from management specifying the process, outcomes, and goals of the project and its budget Feasibility analysis Determines whether the organization has the resources and commitment to conduct a successful security analysis and design
24
SecSDLC: Analysis Prepare analysis of existing security policies and programs, along with known threats and current controls Analyze relevant legal issues that could affect the design of the security solution
25
Table 2-1 Threats to Information Security
SecSDLC: Analysis Prepare analysis of existing security policies and programs, along with known threats and current controls Analyze relevant legal issues that could affect the design of the security solution Table 2-1 Threats to Information Security
26
Ex. Java Vulnerability Patch ….and a week later
SecSDLC Analysis: Threats to Information Security Exploit Vulnerability Attack Ex. Java Vulnerability Patch ….and a week later
27
SecSDLC Analysis: Common Attacks
Malicious code Hoaxes Back doors Password crack Brute force Dictionary Denial-of-service (DoS) and distributed denial-of-service (DDoS) Spoofing Man-in-the-middle Spam Mail bombing Sniffer Social engineering Buffer overflow Timing
28
SecSDLC Analysis: Risk Management
Prioritize the risk posed by each category of threat Identify and assess the value of your information assets Assign a comparative risk rating or score to each specific information asset
29
SecSDLC: Design Design in the SecSDLC
Create and develop a blueprint for security Examine and implement key policies Evaluate the technology needed to support the security blueprint Generate alternative solutions Agree upon a final design Security models may be used to guide the design process
30
SecSDLC: Design A critical design element of the information security program is the information security policy Management must define the types of security policy Integral part of design: SETA program Consists of: Security education, security training, and security awareness Purpose: enhance security
31
SecSDLC: Design Design controls and safeguards
Used to protect information from attacks by threats Design controls and safeguards (Categories): Managerial controls Operational controls Technical controls
32
SecSDLC: Design
33
SecSDLC: Design Contingency planning (Chapter 3)
Prepare, react and recover from circumstances that threaten the organization Types of contingency planning Incident response planning (IRP) Disaster recovery planning (DRP) Business continuity planning (BCP)
34
SecSDLC: Design Physical security Physical resources include
Design, implementation, and maintenance of countermeasures that protect the physical resources of an organization Physical resources include People Hardware Supporting information system elements
35
SecSDLC: Implementation
Security solutions are acquired, tested, implemented, and tested again Personnel issues are evaluated and specific training and education programs conducted
36
SecSDLC: Maintenance Once program is implemented, it must be: Operated
Properly managed Timely (i.e. up to date using established procedures) If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again
37
Figure 2-11 Maintenance model
SecSDLC: Maintenance Aspects of a maintenance model External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review Vulnerability assessment Figure 2-11 Maintenance model
38
SecSDLC: Maintenance Security program management (Chapter 6)
A formal management standard can provide some insight into the processes and procedures needed Examples include the BS7799 / ISO17799 / ISO27xxx model or the NIST models described earlier
39
Article 2: Dealing with GRC
GRC in an increasingly complex, information-centric world Challenges Suggestions Building a GRC Platform
40
Summary Information security governance
Planning for information security implementation Introduction to the security systems development life cycle
Similar presentations
