71
1 06/16/22 1 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by appointment. CSE 4482: Computer Security Management: Assessment and Forensics

18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

Embed Size (px)

Citation preview

Page 1: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

104/19/23 1

Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875

Lectures: Tues (CB 122), 7–10 PM

Office hours: Wed 2-4 pm (CSEB 3043), or by appointment.

CSE 4482: Computer Security Management: Assessment and Forensics

Page 2: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

2

Ch 4: Information Security Policy

Objectives

• Upon completion of this material you should be able to:– Define information security policy and understand its

central role in a successful information security program

– Describe the three major types of information security policy and explain what goes into each type

– Develop various types various types of information security policies

Management of Information Security, 3rd ed.

Page 3: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

3

Introduction

• Policy is the essential foundation of an effective information security program

• Policy maker sets the tone and emphasis on the importance of information security

• Objectives– Reduced risk– Compliance with laws and regulations – Assurance of operational continuity,

information integrity, and confidentiality

Management of Information Security, 3rd ed.

Page 4: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

4

Why Policy?

• Policies are the least expensive means of control and often the most difficult to implement

• Basic rules for shaping a policy– Policy should never conflict with law– Policy must be able to stand up in court if

challenged– Policy must be properly supported and

administered

Management of Information Security, 3rd ed.

Page 5: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

5

Why Policy? (cont’d.)

• Bulls-eye model – Networks: threats first meet the organization’s network– Systems: computers and manufacturing systems– Applications: all applications systems

Management of Information Security, 3rd ed.

Page 6: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

6

Why Policy? (cont’d.)

Policies are important reference documents– For internal audits– For the resolution of legal disputes about

management's due diligence– Policy documents can act as a clear

statement of management's intent

Types of information security policy– Enterprise information security program policy– Issue-specific information security policies– Systems-specific policies

Management of Information Security, 3rd ed.

Page 7: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

7

Policy, Standards, and Practices

• Policy : A plan or course of action that influences decisions– must be properly disseminated, read, understood,

agreed-to, and uniformly enforced– require constant modification and maintenance

• Standards – A more detailed statement of what must be done to

comply with policy

• Practices– Procedures and guidelines explain how employees will

comply with policy

Management of Information Security, 3rd ed.

Page 8: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

8

Policies, Standards, & Practices

Figure 4-2 Policies, standards and practices

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 9: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

9

Enterprise Information Security Policy (EISP)

• Sets strategic direction, scope, and tone for organization’s security efforts

• Assigns responsibilities for various areas of information security

• Guides development, implementation, and management requirements of information security program

Management of Information Security, 3rd ed.

Page 10: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

10

EISP Elements

1. corporate philosophy on security

2. information security organization and information security roles

Management of Information Security, 3rd ed.

Page 11: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

11

Example ESIP Components

• Statement of purpose• Information technology security elements• Need for information technology security• Information technology security

responsibilities and roles• Reference to other information technology

standards and guidelines

Management of Information Security, 3rd ed.

Page 12: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

12

Issue-Specific Security Policy (ISSP)

• Provides detailed, targeted guidance– Instruction for secure use of a technology systems – Begins with introduction to fundamental technological

philosophy of the organization

• Protects organization from inefficiency and ambiguity– Documents how the technology-based system is

controlled– Identifies the processes and authorities that provide

this control

• Indemnifies the organization against liability for an employee’s inappropriate or illegal system use

Management of Information Security, 3rd ed.

Page 13: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

13

Issue-Specific Security Policy- contd

• ISSP topics– Email and internet use– Minimum system configurations – Prohibitions against hacking– Home use of company-owned computer

equipment– Use of personal equipment on company

networks– Use of telecommunications technologies – Use of photocopy equipment

Management of Information Security, 3rd ed.

Page 14: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

14

Components of the ISSP

• Statement of Purpose – Scope and applicability– Definition of technology addressed– Responsibilities

• Authorized Access and Usage of Equipment– User access– Fair and responsible use– Protection of privacy

Management of Information Security, 3rd ed.

Page 15: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

15

Components of the ISSP - contd• Prohibited Usage of Equipment

– Disruptive use or misuse– Criminal use– Offensive or harassing materials– Copyrighted, licensed or other intellectual property– Other restrictions

• Systems management– Management of stored materials– Employer monitoring– Virus protection – Physical security– Encryption

Management of Information Security, 3rd ed.

Page 16: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

16

Components of the ISSP - contd

• Violations of policy– Procedures for reporting violations– Penalties for violations

• Policy review and modification– Scheduled review of policy and procedures for

modification

• Limitations of liability– Statements of liability or disclaimers

Management of Information Security, 3rd ed.

Page 17: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

17

System-Specific Security Policy

• System-specific security policies (SysSPs) frequently do not look like other types of policy– may function as standards or procedures to be

used when configuring or maintaining systems

• SysSPs can be separated into– Management guidance– Technical specifications– Or combined in a single policy document

Management of Information Security, 3rd ed.

Page 18: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

18

Managerial Guidance SysSPs

• Created by management to guide the implementation and configuration of technology

• Applies to any technology that affects the confidentiality, integrity or availability of information, e.g. firewall configuration

• Informs technologists of management intent

Management of Information Security, 3rd ed.

Page 19: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

19

Technical Specifications SysSPs

• System administrators’ directions on implementing managerial policy

• Each type of equipment has its own type of policies

• General methods of implementing technical controls– Access control lists– Configuration rules

Management of Information Security, 3rd ed.

Page 20: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

20

• Access control lists– Include the user access lists, matrices, and capability

tables that govern the rights and privileges– A similar method that specifies which subjects and

objects users or groups can access is called a capability table

– These specifications are frequently complex matrices, rather than simple lists or tables

– Enable administrations to restrict access according to user, computer, time, duration, or even a particular file

Technical Specifications SysSPs - contd

Management of Information Security, 3rd ed.

Page 21: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

21

• Access control lists regulate– Who can use the system– What authorized users can access– When authorized users can access the system– Where authorized users can access the system from– How authorized users can access the system– Restricting what users can access, e.g. printers, files,

communications, and applications

• Administrators set user privileges– Read, write, create, modify, delete, compare, copy

Technical Specifications SysSPs - contd

Management of Information Security, 3rd ed.

Page 22: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

22

Technical Specifications SysSPs - contd

Figure 4-5 Windows XP ACL

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 23: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

23

Technical Specifications SysSPs - contd

• Configuration rules – Specific configuration codes entered into security

systems • Guide the execution of the system when information is

passing through it

• Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process

Management of Information Security, 3rd ed.

Page 24: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

24

Technical Specifications SysSPs (cont’d.)

Figure 4-6 Firewall configuration rules

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 25: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

25

Guidelines for Effective Policy

• policies must be properly:– Developed using industry-accepted practices– Distributed or disseminated using all

appropriate methods– Reviewed or read by all employees– Understood by all employees– Formally agreed to by act or assertion– Uniformly applied and enforced

Management of Information Security, 3rd ed.

Page 26: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

26

Development steps

• Investigation (goals, support, particiption)

• Analysis (risk assessment)

• Design (components, dissemination)

• Implement (detailed specification)

• Maintenance

• Distribution

Page 27: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

27

Policy Comprehension

Figure 4-9 Readability statistics

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 28: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

28

Automated Tools

Figure 4-10 The VigilEnt policy center

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 29: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

29

The Information Securities Policy Made Easy Approach

• Gathering key reference materials

• Defining a framework for policies

• Preparing a coverage matrix

• Making critical systems design decisions

• Structuring review, approval, and enforcement processes

Management of Information Security, 3rd ed.

Page 30: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

30

The Information Securities Policy Made Easy Approach (cont’d.)

Figure 4-11 A sample coverage matrix

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 31: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

31

A Final Note on Policy

• Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy– Policies exist, first and foremost, to inform

employees of what is and is not acceptable behavior in the organization

– Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

Management of Information Security, 3rd ed.

Page 32: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

32

Summary

• Introduction

• Why Policy?

• Enterprise Information Security Policy

• Issue-Specific Security Policy

• System-Specific Policy

• Guidelines for Policy Development

Management of Information Security, 3rd ed.

Page 33: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

33

Next

• Ch 5: Developing the security program

Page 34: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

34

Objectives

• Completion of this material will enable you to:– Explain the organizational approaches to information security– List and describe the functional components of an information

security program– Determine how to plan and staff an organization’s information

security program based on its size– Evaluate the internal and external factors that influence the

activities and organization of an information security program – List and describe the typical job titles and functions performed in

the information security program– Describe the components of a security education, training, and

awareness program and explain how organizations create and manage these programs

Management of Information Security, 3rd ed.

Page 35: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

35

Introduction• Some organizations use security program

to describe the entire set of personnel, plans, policies, and initiatives related to information security– The term “information security program” is

used here to describe the structure and organization of the effort that contains risks to the information assets of the organization

Management of Information Security, 3rd ed.

Page 36: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

36

Organizing for Security

• Variables involved in structuring an information security program– Organizational culture– Size– Security personnel budget– Security capital budget

• As organizations increase in size:– Their security departments are not keeping up

with increasingly complex organizational infrastructures

Management of Information Security, 3rd ed.

Page 37: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

37

Organizing for Security (cont’d.)

• Information security departments tend to form internal groups – To meet long-term challenges and handle day-

to-day security operations

• Functions are likely to be split into groups

• Smaller organizations typically create fewer groups– Perhaps having only one general group of

specialists

Management of Information Security, 3rd ed.

Page 38: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

38

Organizing for Security (cont’d.)

• Very large organizations (> 10,000 computers– Security budgets often grow faster than IT budgets– Even with a large budgets, the average amount spent

on security per user is still smaller than any other type of organization

• Small organizations spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user

– Does a better job in the policy and resource management areas

– Only 1/3 of organizations handled incidents according to an IR plan

Management of Information Security, 3rd ed.

Page 39: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

39

Organizing for Security (cont’d.)

• Large organizations– Have 1,000 to 10,000 computers – Security approach has often matured,

integrating planning and policy into the organization’s culture

– Do not always put large amounts of resources into security

• Considering the vast numbers of computers and users often involved

– They tend to spend proportionally less on security

Management of Information Security, 3rd ed.

Page 40: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

40

Security in Large Organizations

• One approach separates functions into four areas:– Functions performed by non-technology

business units outside of IT– Functions performed by IT groups outside of

information security area– Functions performed within information

security department as customer service– Functions performed within the information

security department as compliance

Management of Information Security, 3rd ed.

Page 41: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

41

• The CISO has responsibility for information security functions – Should be adequately performed somewhere within the

organization

• The deployment of full-time security personnel depends on:– Sensitivity of the information to be protected– Industry regulations– General profitability

• The more money the company can dedicate to its personnel budget– The more likely it is to maintain a large information

security staff

Security in Large Organizations - contd

Management of Information Security, 3rd ed.

Page 42: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

42

Security in Large Organizations (cont’d.)

Figure 5-1 Example of information security staffing in a large organization

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 43: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

43

Security in Large Organizations (cont’d.)

Figure 5-2 Example of information security staffing in a very large organization

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 44: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

44

Security in Medium-Sized Organizations

• Have between 100 and 1000 computers– Have a smaller total budget– Have same sized security staff as the small

organization, but a larger need– Must rely on help from IT staff for plans and practices– Ability to set policy, handle incidents, and effectively

allocate resources is worse than any other size– May be large enough to implement a multi-tiered

approach to security• With fewer dedicated groups and more functions assigned to

each group

– Tend to ignore some security functions

Management of Information Security, 3rd ed.

Page 45: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

45

Security in Medium-Sized Organizations (cont’d.)

Figure 5-3 Example of information security staffing in a medium-sized organization

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 46: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

46

Security in Small Organizations

• Have between 10 and 100 computers– Have a simple, centralized IT organizational model– Spend disproportionately more on security– Information security is often the responsibility of a

single security administrator– Have little in the way of formal policy, planning, or

security measures– Often outsource Web presence or ecommerce – Security training and awareness is commonly

conducted on a 1-on-1 basis– Policies (when they exist) are often issue-specific – Threats from insiders are less likely

• Every employee knows every other employee

Management of Information Security, 3rd ed.

Page 47: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

47

Security in Small Organizations (cont’d.)

Figure 5-4 Example of information security staffing in a smaller organization

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 48: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

48

Placing Information Security• In large organizations

– InfoSec is often located within the information technology department

• Headed by the CISO who reports directly to the top computing executive, or CIO

• An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole, because the goals and objectives of the CIO and the CISO may come in conflict– It is not difficult to understand the current movement to

separate information security from the IT division– The challenge is to design a reporting structure for the

InfoSec program that balances the needs of each of the communities of interest

Management of Information Security, 3rd ed.

Page 49: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

49

Placing Information Security, option 1: Information Technology

Source: From Information Security Roles and Responsibilities Made Easy, used with permission.

Figure 5-5 Wood’s Option 1: Information security reports to information technology department

Management of Information Security, 3rd ed.

Page 50: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

50

Pros/cons

Widespread use

• Close to CEO

• Within IT dept

• Conflict of interest

• Security is not just a technological issue

Page 51: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

51

Placing Information Security, option 2: Security dept

Source: From Information Security Roles and Responsibilities Made Easy, used with permission.

Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department

Management of Information Security, 3rd ed.

Page 52: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

52

Pros/cons

Also popular

• In a dept that focuses on security

• Preventive viewpoint

• Cultural differences

• Resource allocation disparity

Page 53: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

53

Placing Information Security, option 3: Administrative services

Source: From Information Security Roles and Responsibilities Made Easy, used with permission.

Figure 5-7 Wood’s Option 3: Information security reports to administrative services department

Management of Information Security, 3rd ed.

Page 54: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

54

Pros/Cons

• Close to CEO

• Focus on people

• Disparity with the other concerns

Page 55: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

55

Placing Information Security, option 4: insurance and risk mgmt

Source: From Information Security Roles and Responsibilities Made Easy, used with permission.

Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department

Management of Information Security, 3rd ed.

Page 56: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

56

Placing Information Security, option 5: strategy and planning

Source: From Information Security Roles and Responsibilities Made Easy, used with permission.

Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department

Management of Information Security, 3rd ed.

Page 57: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

57

Components of the Security Program

• Organization’s information security needs– Unique to the culture, size, and budget of the

organization– Determining what level the information security

program operates on depends on the organization’s strategic plan

• Also the plan’s vision and mission statements• The CIO and CISO should use these two

documents to formulate the mission statement for the information security program

Management of Information Security, 3rd ed.

Page 58: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

58

Information Security Roles and Titles

Figure 5-10 Information security roles

Source: Course Technology/Cengage LearningManagement of Information Security, 3rd ed.

Page 59: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

59

Implementing Security Education, Training, and Awareness Programs

• SETA program– Designed to reduce accidental security

breaches– Consists of three elements: security education,

security training, and security awareness

• Awareness, training, and education programs offer two major benefits:– Improving employee behavior– Enabling the organization to hold employees

accountable for their actions

Management of Information Security, 3rd ed.

Page 60: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

60

Implementing SETAPrograms (cont’d.)

• Purpose of SETA is to enhance security:– By building in-depth knowledge, to design,

implement, or operate security programs for organizations and systems

– By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely

– By improving awareness of the need to protect system resources

Management of Information Security, 3rd ed.

Page 61: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

61

Source: National Institute of Standards and Technology. An Introduction to Computer Security: The

NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.

Implementing SETAPrograms (cont’d.)

Table 5-3 Framework of security education, training and awareness

Management of Information Security, 3rd ed.

Page 62: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

62

Security Education

• Employees within information security may be encouraged to seek a formal education– If not prepared by their background or

experience– A number of institutions of higher learning,

including colleges and universities, provide formal coursework in information security

Management of Information Security, 3rd ed.

Page 63: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

63

Source: Course Technology/Cengage Learning

Figure 5-11 Information security knowledge map

Security Education (cont’d.)

Management of Information Security, 3rd ed.

Page 64: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

64

Security Training• Involves providing detailed information and

hands-on instruction – To develop user skills to perform their duties securely

• develop customized training or outsource• Customizing training for users

– By functional background• General user • Managerial user• Technical user

– By skill level• Novice• Intermediate• Advanced

Management of Information Security, 3rd ed.

Page 65: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

65

Security Awareness

• One of the least frequently implemented, but most effective security methods is the security awareness program

• Security awareness programs: – Set the stage for training by changing

organizational attitudes to realize the importance of security and the adverse consequences of its failure

– Remind users of the procedures to be followed

Management of Information Security, 3rd ed.

Page 66: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

66

Security Awareness (cont’d.)

– Refrain from using technical jargon– Define learning objectives, state them clearly,

and provide sufficient detail and coverage– Keep things light– Don’t overload the users – Help users understand their roles in InfoSec– Utilize in-house communications media – Make the awareness program formal– Provide good information early, rather than

perfect information late

Management of Information Security, 3rd ed.

Page 67: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

67

• Effective training and awareness programs make employees accountable for their actions

• Dissemination and enforcement of policy become easier when training and awareness programs are in place

• Demonstrating due care and due diligence can help indemnify the institution against lawsuits

Security Awareness (cont’d.)

Management of Information Security, 3rd ed.

Page 68: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

68

Security Awareness (cont’d.)

• Many security awareness components are available at little or no cost – Others can be very expensive

• Examples of security awareness components– Videos– Posters and banners– Lectures and conferences– Computer-based training

Management of Information Security, 3rd ed.

Page 69: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

69

Security Awareness (cont’d.)

• Examples of security awareness components (cont’d.)– Newsletters– Brochures and flyers– Trinkets (coffee cups, pens, pencils, T-shirts)– Bulletin boards

Management of Information Security, 3rd ed.

Page 70: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

70

Security Awareness (cont’d.)

• Organizations can establish Web pages or sites dedicated to promoting information security awareness– The challenge lies in updating the messages frequently

enough to keep them fresh

• Tips on creating and maintaining an educational Web site– See what’s already out there– Plan ahead– Keep page loading time to a minimum– Seek feedback– Spend time promoting your site

Management of Information Security, 3rd ed.

Page 71: 18/18/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by

71

Summary

• Introduction

• Organizing for security

• Placing information security within an organization

• Components of the security program

• Information security roles and titles

• Implementing security education, training, and awareness programs

Management of Information Security, 3rd ed.