Embed Size (px)
DESCRIPTION
Introduction to the Management of Information Security. Dan Hein, Dinesh Raveendran, Molly Coplen Feb 3, 2008. Organization. Overview of Information Security Defining Security Information Security Management The Six P’s of Information Security. Information Security. - PowerPoint PPT Presentation
Citation preview
Introduction to the Management of Introduction to the Management of Information SecurityInformation Security
Dan Hein, Dinesh Raveendran, Molly Coplen
Feb 3, 2008
04/22/23 2
OrganizationOrganization
• Overview of Information Security
• Defining Security
• Information Security Management
• The Six P’s of Information Security
04/22/23 3
Information SecurityInformation Security
• Risk Analysis is an essential central activity required to secure information assets» Information asset enumeration,» Threat enumeration,» Threat potential and impact and/or damage
• Risk Analysis provides rationale (cost justification) for sound business decisions and cross-cuts several communities:» Information Security Community» Information Technology Community» General Business Community
04/22/23 4
What is SecurityWhat is Security• The quality or state of being secure – to be free from
danger.» Example: National Security
• Multiple types of security specialization:» Physical – Protection of people, physical assets, and
workplace» Operations – Carrying of the operational activities without
interruption or compromise» Communications- Protection of communication media,
technology and content» Network – Protection of networking devices, connections
and content
04/22/23 5
Information SecurityInformation Security• Information Security (InfoSec) encompasses
» Management of information security» Computer & data security» Network Security
Information Security
Management of InfoSec
Network Security
Policy
Computer & Data Security
04/22/23 6
NSTISSCNSTISSC** Security Model Security Model• NSTISSC* Security Model
» A CNSS model known as McCumber Cube» Purpose: Identify gaps in information security program
» Weakness: Addresses only InfoSec Community and leaves out business and broader IT community
*-National SecurityTelecommunications and Information Systems Security Committee
Confidentiality
Integrity
AvailabilityPoli
cy Edu
catio
n Tec
hnolo
gy
Storage Processing Transmission
04/22/23 7
Key Concepts of InfoSecKey Concepts of InfoSec• C.I.A Triangle – Basis for CNSS model for InfoSec• Three essential characteristics
» Confidentiality, integrity and availability» Limited in scope » Difficult to encompass changing environment» Threats – Accidental or intentional damage, destruction,
theft, unintended or unauthorized modification, other human misuses or other threats
• Development of a robust model for current IS environment and rapidly changing IT industry with a comprehensive list of critical characteristics
04/22/23 8
Key Concepts continued…Key Concepts continued…• Confidentiality
» Only those with sufficient privileges and demonstrated need may access certain information
» Measures to protect it - Information classification, Secure document storage, Application of general security policies, Education of information custodians and end users and Cryptography
» Examples: Mailing confidential information outside the organization, Hacker breaking in to an internal database
04/22/23 9
Key Concepts continued…Key Concepts continued…• Integrity
» The quality or state of being whole, complete, and uncorrupted
» Corruption can occur while information is being entered, stored, or transmitted
» Viruses, worms and even faulty programming can corrupt data
» Detection: check file’s state, or file’s hash value or checksum» Prevention: redundancy bits and check bits, file hashing
04/22/23 10
Key Concepts continued…Key Concepts continued…• Availability
» Characteristic of information that enables user access to information without interference in a useable format
» Access to only authorized users» Analogy: Library Access
• Privacy» Information that is collected, used and stored by an
organization is intended only for the purposes stated to the data owner at the time it was collected
» Collect, swap and sell personal information» Data used without original owner’s consent
04/22/23 11
Key Concepts continued…Key Concepts continued…• Identification
» Ability to recognize individual users for an IS» First step in gaining access to secured data» Foundation to authentication and authorization» Performed with username and/or password
• Authentication» When a control provides proof that a user possesses the
identity that he/she claims.» Examples: use of cryptographic certificates to establish SSL
04/22/23 12
Key Concepts continued…Key Concepts continued…• Authorization
» After authentication, this process provides the assurance that the user has been specifically and explicitly authorized by the proper authority
» Example: activation and use of ACLs
• Accountability» When a control provides assurance that every activity
undertaken can be attributed to a person or a process» Example: Audit logs
04/22/23 1304/22/23 13
What is Management?What is Management?
» Management is the process of achieving objectives given a set of resources.
» A manager is a member of the organization assigned to marshal and administer resources, coordinate the completion of tasks, and handle the many roles necessary to meet the desired objectives.
04/22/23 14
Management TheoriesManagement Theories• Frederick Winslow Taylor (1900s)
» Wandered around factories with a stopwatch and a clipboard to measure worker productivity.
» Management’s job is to improve productivity by refining the processes workers perform.
• Douglas McGregor - Theory X and Theory Y (1960)» Theory X: Classic command and control – “Carrot-and-the-
stick” - workers are basically lazy.» Theory Y: People exercise self-direction and self control in
the achievement of organizational objectives. Carrots induce people to stay.
04/22/23 14
04/22/23 15
Management TheoriesManagement Theories
• W. Edwards Deming – Total Quality Management (1980s)» Stressed quality and customer focus in internal operations » Decision making, performance measurement, and
compensation » Vertical integration
• Business Process Re-engineering (1990s)» Reorganize the business around processes such as
purchasing, marketing, and distribution instead of corporate silos based on products and geography.
04/22/23 15
04/22/23 1604/22/23 16
Leadership versus ManagementLeadership versus Management• Leaders
» Influences employees so that they are willing to accomplish objectives.
» Leadership provides purpose, direction, and motivation to those who follow.
• Managers» Administers resources of the organization:
• Create budgets• Authorize expenditures• Hire employees
04/22/23 17
Key Characteristic of a LeaderKey Characteristic of a LeaderA key characteristic of a leader is concern for subordinates as well as strong motivation for accomplishing organizational objectives. Exhibit principles of be..know..and do.
As a leader you must be a person of strong and honorable character, be committed to professional ethics, be an example of individual values, and be able to resolve complex ethical dilemmas. You must know the details of your situation, the standards to which you work, yourself, human nature, and your team. You must do by providing purpose, direction, and motivation to your teams.
04/22/23 17
04/22/23 18
Characteristics of a LeaderCharacteristics of a LeaderUS Military ModelUS Military Model
• Bearing• Courage• Decisiveness• Dependability• Endurance • Enthusiasm• Initiative
• Integrity• Judgment• Justice• Knowledge• Loyalty• Tact• Unselfishness
04/22/23 18
04/22/23 19
Improvement of Leadership AbilitiesImprovement of Leadership Abilities
• Know yourself and seek self improvement
• Be technically and tactically proficient
• See responsibility and take responsibility for your actions
• Make sound and timely decisions
• Set the example• Know your subordinates and
look out for their well-being
• Keep your subordinates informed
• Develop a sense of responsibility in your subordinates
• Ensure the task is understood, supervised, and accomplished
• Build the team• Employ your team in
accordance with its capabilities
04/22/23 19
04/22/23 2004/22/23 20
Behavioral Types of LeadersBehavioral Types of Leaders• Autocratic
» Reserves all decision-making responsibility for themselves, and are more “do as I say” types of managers.
» Issues an order to accomplish a task and does not seek or accept alternative viewpoints.
• Democratic» Seeks input from all interested parties, requesting ideas and
suggestions, and then formulating a position that can be supported by a majority.
• Laissez-faire» Allows the process to develop as it goes, only making minimal
decisions to avoid bringing the process to a complete halt.
04/22/23 2104/22/23 21
The Planning-Controlling LinkThe Planning-Controlling Link
PlanningGoals, Objectives, Strategies, Plans
LeadingMotivation, Leadership,
Communication, Behavior
ControllingStandards,
Measurements, Comparisons, Action
OrganizingStructure, Human
Resource Management
04/22/23 2204/22/23 22
PlanningPlanning• Strategic
» Highest level of the organization – Board of Directors, Executive Management
» Time horizon – five or more years• Tactical
» Mid-level managers – implementation of the strategic plan» Time horizon – one to five years
• Operational » Supervisors - Day-to-day operations of local resources» Time horizon - immediate
04/22/23 23
OrganizingOrganizing
“The principle of management dedicated to the structuring of resources to support the accomplishments of objectives.”
» Organizing tasks:• What is to be done and in what order• Who is doing the work• How is the work being accomplished• When - timeline
04/22/23 23
04/22/23 24
Leadership and MotivationLeadership and Motivation• Peter Drucker
» A responsible manager has authority.» Workers are led, not managed.» The workplace is participatory, but not “free-wheeling.”» Workers are not motivated through money alone.» Each worker is motivated differently, according to the
individual and the situation.» Management recognizes that workers could leave the
organization.
04/22/23 24
04/22/23 25
What Motivates WorkersWhat Motivates Workers• Work with people who treat me with respect• Interesting work• Recognition• Opportunity to develop skills• Work for people who will listen to you• Ability to think for self, not just carry out instructions• Seeing the end results of my work• Work for efficient managers• Job security• High pay• Good benefits04/22/23 25
04/22/23 26
ControllingControlling• This function determines what is monitored, the tools to
gather and evaluate information, and the corrective action.
• Four categories of control tools:» Information – flow of information in the organization» Financial – guide the expenditure of monetary resources. » Operational – evaluate the efficiency and effectiveness of
business process flows. » Behavioral – evaluate the efficiency and effectiveness of
human resources.
04/22/23 26
04/22/23 27
Control ProcessControl Process
04/22/23 27
Standard Attained?
Variance Accepted?
Standard Acceptable
?
Revise Standard
Identify cause of variation
Continue Process
Continue Process
Correct Performance
Compare Actual vs Standard
Performance Standard
Actual Performance
Yes
Yes
Yes
No
No
No
04/22/23 2804/22/23 28
• Step 1: Recognize and Define the Problem» How do I know that I have a problem ?» What is the real cause of the problem ?
• Step 2: Gather Facts and Make Assumptions» Interview, collect data, review documentation
• Step 3: Develop Possible Solutions» Brian storm, interview experts, review research
• Step 4: Analyze and Compare Possible Solution» Financial impact, cost-benefit analysis, operation impact» Unintended consequences ??
• Step 5: Select, Implement, and Evaluate a Solution» Monitor the solution – intended impact?
Solving ProblemsSolving Problems
04/22/23 29
Six Principles of Information SecuritySix Principles of Information Security
1. Planning - Draw upon larger business / IT plans to develop InfoSec plans that support business goals and objectives.
2. Policy – Organizational document(s) specifying acceptable and unacceptable use, actions constituting abuse, and punishments for violators [Panko03] .
3. Programs – Ongoing operational activities to support goals of information security: Education, Training, Drills, and onsite physical access.
04/22/23 30
Six Principles continued…Six Principles continued…
4. Protection – Ongoing risk management identifies information assets, enumerates threats, and performs risk reduction or transference.
5. People – Training people within an organization is critical for maintaining proper information security; some of the simplest attacks are social-engineering attacks.
6. Project Management – Continuously monitoring and measuring progress towards InfoSec goals/objectives and making corrective action when needed.
04/22/23 31
QuestionsQuestions
?
04/22/23 32
BibliographyBibliography• Anonymous, “The Way We Were,” Management Today, London: June 1998, pp 111-112.
• Anonymous, “TGM-A Cornerstone of Quality”, Quality Progress. Milwaukee: November 2006, Vol. 39, Iss. 11; pp 32-33.
• William A. Cohen, A Class with Drucker, New York: AMACOM, 2008
• W.E. Deming, Out of the Crisis, MIT Press, 1982
• Richard J. Hackman and Ruth Wageman, “Total Quality Management: Empirical, Conceptual, and Practical Issues,” Administrative Science Quarterly, Ithaca: June 1995, Vol. 40, Iss 2; pp 309-342.
• Raymond R. Panko, Corporate Computer and Network Security. New Jersey: Prentice Hall, 2003. pp. 324-330.
• Michael E. Whitman and Herbert J. Mattord, Management of Information Security, Thompson Course Technology, 2008. pp 1-20.
• “Survey: The X and Y Factors,” The Economist, London: January 21, 2006. Vol. 378, Iss. 8461, pg 19.
04/22/23 32
