Is4231 Week 5
IS4231 INFORMATION SECURITY MANAGEMENT
05 Developing the Security Program
Objectives
2
•
Upon completion of this material you should be able to:
– – –
Explain the organizational approaches to information security List and describe the functional components of an information security program Determine how to plan and staff an organization’s information security program based on its size
IS4231 – 05 Developing the Security Program
Objectives (cont’d.)
3
•
Upon completion of this material you should be able to: (cont’d.)
–
–
Evaluate the internal and external factors that influence the activities and organization of an information security program List and describe the typical job titles and functions performed …show more content…
in the information security program
IS4231 – 05 Developing the Security Program
Objectives (cont’d.)
4
•
Upon completion of this material you should be able to: (cont’d.)
–
Describe the components of a security education, training, and awareness program and explain how organizations create and manage these programs
IS4231 – 05 Developing the Security Program
Introduction
5
•
Some organizations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security
–
The term “information security program” is used here to describe the structure and organization of the effort that contains risks to the information assets of the organization
IS4231 – 05 Developing the Security Program
Organizing for Security
6
•
Variables involved in structuring an information security program
– – – –
Organizational culture Size Security personnel budget Security capital budget Their security departments are not keeping up with increasingly complex organizational infrastructures
•
As organizations increase in size:
–
IS4231 – 05 Developing the Security Program
7
IS4231 – 01 Introduction to Information Security Management
8
IS4231 – 01 Introduction to Information Security Management
Organizing for Security (cont’d.)
9
•
Information security departments tend to form internal groups
–
To meet long-term challenges and handle day-to-day security operations
• •
Functions are likely to be split into groups Smaller organizations typically create fewer groups
–
Perhaps having only one general group of specialists
IS4231 – 05 Developing the Security Program
Organizing for Security (cont’d.)
10
•
Very large organizations
– – –
More than 10,000 computers Security budgets often grow faster than IT budgets Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organization n Small
organizations spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user
IS4231 – 05 Developing the Security Program
Organizing for Security (cont’d.)
11
•
Very large organizations (cont’d.)
– –
Does a better job in the policy and resource management areas Only 1/3 of organizations handled incidents according to an IR plan Have 1,000 to 10,000 computers Security approach has often matured, integrating planning and policy into the organization’s culture
•
Large organizations
– –
IS4231 – 05 Developing the Security Program
Organizing for Security (cont’d.)
12
•
Large organizations (cont’d.)
–
Do not always put large amounts of resources into security n Considering
involved
the vast numbers of computers and users often
–
They tend to spend proportionally less on security
IS4231 – 05 Developing the Security Program
Security in Large Organizations
13
•
One approach separates functions into four areas:
– – – –
Functions performed by non-technology business units outside of IT Functions performed by IT groups outside of information security area Functions performed within information security department as customer service Functions performed within the information security department as compliance
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
14
•
The CISO has responsibility for information security functions
–
Should be adequately performed somewhere within the organization
•
The deployment of full-time security personnel depends on:
– – –
Sensitivity of the information to be protected Industry regulations General profitability
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
15
•
The more money the company can dedicate to its personnel budget
–
The more likely it is to maintain a large information security staff
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
16
Information security staffing in a large organization
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
17
Information security staffing in a very large organization
IS4231 – 05 Developing the Security Program
Security in Medium-Sized Organizations
18
•
Medium-sized organizations
– – – – –
Have between 100 and 1000 computers Have a smaller total budget Have same sized security staff as the small organization, but a larger need Must rely on help from IT staff for plans and practices Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size
IS4231 – 05 Developing the Security Program
Security in Medium-Sized Organizations (cont’d.)
19
•
Medium-sized organizations (cont’d.)
–
May be large enough to implement a multi-tiered approach to security n With
fewer dedicated groups and more functions assigned to each group
–
Tend to ignore some security functions
IS4231 – 05 Developing the Security Program
Security in Medium-Sized Organizations (cont’d.)
20
IS4231 – 05 Developing the Security Program
Security in Small Organizations
21
•
Small organizations
– – – – –
Have between 10 and 100 computers Have a simple, centralized IT organizational model Spend disproportionately more on security Information security is often the responsibility of a single security administrator Have little in the way of formal policy, planning, or security measures
IS4231 – 05 Developing the Security Program
Security in Small Organizations (cont’d.)
22
•
Small organizations (cont’d.)
– – – – –
Commonly outsource their Web presence or electronic commerce operations Security training and awareness is commonly conducted on a 1-on-1 basis Policies (when they exist) are often issue-specific Formal planning is often part of IT planning Threats from insiders are less likely n Every
employee knows every other employee
IS4231 – 05 Developing the Security Program
Security in Small Organizations (cont’d.)
23
IS4231 – 05 Developing the Security Program
Placing Information Security Within An Organization
24
•
In large organizations
–
InfoSec is often located within the information technology department n Headed
by the CISO who reports directly to the top computing executive, or CIO
•
An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole
IS4231 – 05 Developing the Security Program
Placing Information Security Within An Organization (cont’d.)
25
•
Because the goals and objectives of the CIO and the CISO may come in conflict
– –
It is not difficult to understand the current movement to separate information security from the IT division The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
26
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
27
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
28
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
29
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
30
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
31
•
Other options
– – – – – –
–
Option 6: Legal Option 7: Internal audit Option 8: Help desk Option 9: Accounting and finance through IT Option 10: Human resources Option 11: Facilities management Option 12: Operations
IS4231 – 05 Developing the Security Program
Components of the Security Program
32
•
Organization’s information security needs
– –
Unique to the culture, size, and budget of the organization Determining what level the information security program operates on depends on the organization’s strategic plan n Also
the plan’s vision and mission statements n The CIO and CISO should use these two documents to formulate the mission statement for the information security program
IS4231 – 05 Developing the Security Program
Components of the Security Program (cont’d.)
33
¨
¨
An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12) Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST SP 800-14)
IS4231 – 05 Developing the Security Program
Elements of a Security Program
34
IS4231 – 01 Introduction to Information Security Management
Information Security Roles and Titles
35
•
Types of information security positions
–
Those that define n Provide
the policies, guidelines, and standards n Do the consulting and the risk assessment n Develop the product and technical architectures n Senior people with a lot of broad knowledge, but often not a lot of depth
–
Those that build n The
real “techies” who create and install security solutions
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
36
•
Types of information security positions (cont’d.)
–
Those that administer n Operate
and administer the security tools and the security monitoring function n Continuously improve the processes
•
A typical organization has a number of individuals with information security responsibilities
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
37
•
Titles used may be different, but most of the job functions fit into one of the following:
–
Chief Information Security Officer (CISO) or Chief Security Officer (CSO) n Equivalent
Security
titles/roles: Manager of Security, Director of
– – – –
Security managers Security administrators and analysts Security technicians Security staffers & watch-standers
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
38
•
Titles used may be different, but most of the job functions fit into one of the following (cont’d.):
– – –
Security consultants Security officers & investigators Help desk personnel
IS4231 – 05 Developing the Security Program
Help Desk Personnel
39
•
Help desk
– – –
An important part of the information security team Enhances the security team’s ability to identify potential problems When a user calls the help desk with a complaint, the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus
IS4231 – 05 Developing the Security Program
Help Desk Personnel (cont’d.)
40
•
Help desk (cont’d.)
–
Because help desk technicians perform a specialized role in information security, they have a need for specialized training
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
41
IS4231 – 05 Developing the Security Program
Implementing Security Education, Training, and Awareness Programs
42
•
SETA program
– –
Designed to reduce accidental security breaches Consists of three elements: security education, security training, and security awareness
•
Awareness, training, and education programs offer three major benefits:
– – –
Improving employee behavior Informing employees how to report policy breaches Enabling the organization to hold employees accountable for their actions
IS4231 – 05 Developing the Security Program
Implementing SETA Programs (cont’d.)
43
•
Purpose of SETA is to enhance security:
–
–
–
By building in-depth knowledge, to design, implement, or operate security programs for organizations and systems By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely By improving awareness of the need to protect system resources
IS4231 – 05 Developing the Security Program
Implementing SETA Programs (cont’d.)
44
SETA Framework
IS4231 – 05 Developing the Security Program
Security Education
45
•
Employees within information security may be encouraged to seek a formal education
– –
If not prepared by their background or experience A number of institutions of higher learning, including colleges and universities, provide formal coursework in information security
IS4231 – 05 Developing the Security Program
Security Education (cont’d.)
46
•
A knowledge map
– – –
Can help potential students assess information security programs Identifies the skills and knowledge clusters obtained by the program’s graduates Creating the map can be difficult because many academics are unaware of the numerous sub-disciplines within the field of information security n Each
of which may have different knowledge requirements
IS4231 – 05 Developing the Security Program
Security Education (cont’d.)
47
IS4231 – 05 Developing the Security Program
Security Training
48
•
Involves providing detailed information and hands-on instruction
–
To develop user skills to perform their duties securely
•
Management can either develop customized training or outsource
IS4231 – 05 Developing the Security Program
Security Training (cont’d.)
49
•
Customizing training for users
–
By functional background n General
user n Managerial user n Technical user
–
By skill level n Novice n Intermediate n Advanced
IS4231 – 05 Developing the Security Program
Training Techniques
50
•
Using the wrong method
–
Can hinder the transfer of knowledge n Leading
to unnecessary expense and frustrated, poorly trained employees
•
Good training programs
–
Take advantage of the latest learning technologies and best practices
IS4231 – 05 Developing the Security Program
Training Techniques (cont’d.)
51
•
Training is often for one or a few individuals
–
Waiting until there is a large-enough group for a class can cost companies lost productivity Increased use of short, task-oriented modules n Available
•
Other best practices
–
during the normal work week
•
Selection of the training delivery method
–
Not always based on the best outcome for the trainee n Often
overridden by budget, scheduling, and needs of the organization
IS4231 – 05 Developing the Security Program
Training Techniques (cont’d.)
52
•
Types of delivery methods
– – – – – – –
One-on-one Formal class Computer-based training (CBT) Distance learning/web seminars User support group On-the-job training Self-study (non-computerized)
IS4231 – 05 Developing the Security Program
Training Techniques (cont’d.)
53
•
Selecting training staff
– – – – –
Use a local training program Use a continuing education department Use another external training agency Hire a professional trainer/consultant from an accredited institution to conduct on-site training Organize and conduct training in-house using organization’s own employees
IS4231 – 05 Developing the Security Program
Implementing Training
54
•
Seven-step methodology generally applies:
– – – – – – –
Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program
IS4231 – 05 Developing the Security Program
Security Awareness
55
•
•
One of the least frequently implemented, but most effective security methods is the security awareness program Security awareness programs:
–
–
Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure Remind users of the procedures to be followed
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
56
•
Best practices
– – – – – – –
Focus on people Refrain from using technical jargon Use every available venue Define learning objectives, state them clearly, and provide sufficient detail and coverage Keep things light Don’t overload the users Help users understand their roles in InfoSec
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
57
•
Best practices (cont’d.)
– – –
Take advantage of in-house communications media Make the awareness program formal n Plan
and document all actions
Provide good information early, rather than perfect information late
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
58
•
The ten commandments of information security awareness training
– – – – –
Information security is a people, rather than a technical, issue If you want them to understand, speak their language If they cannot see it, they will not learn it Make your point so that you can identify it and so can they Never lose your sense of humor
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
59
•
The ten commandments of information security awareness training (cont’d.)
– – – – –
Make your point, support it, and conclude it Always let the recipients know how the behavior that you request will affect them Ride the tame horses Formalize your training methodology Always be timely, even if it means slipping schedules to include urgent information
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
60
•
Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization’s information
–
Security training and awareness activities can be undermined if management does not set a good example
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
61
•
•
•
Effective training and awareness programs make employees accountable for their actions Dissemination and enforcement of policy become easier when training and awareness programs are in place Demonstrating due care and due diligence can help indemnify the institution against lawsuits
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
62
•
•
•
Awareness can take on different forms for particular audiences A security awareness program can use many methods to deliver its message Recognize that people tend to practice a tuning out process (acclimation)
–
Awareness techniques should be creative and frequently changed
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
63
•
Many security awareness components are available at little or no cost
–
Others can be very expensive Videos Posters and banners Lectures and conferences Computer-based training
•
Examples of security awareness components
– – – –
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
64
•
Examples of security awareness components (cont’d.)
– – – –
Newsletters Brochures and flyers Trinkets (coffee cups, pens, pencils, T-shirts) Bulletin boards
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
65
•
Security newsletter
– – –
A cost-effective way to disseminate security information Newsletters can be in the form of hard copy, e-mail, or intranet Topics can include threats to the organization’s information assets, schedules for upcoming security classes, and the addition of new security personnel
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
66
•
Security newsletter (cont’d.)
–
–
The goal is to keep the idea of information security uppermost in users’ minds and to stimulate them to care about security Newsletters might include: n Summaries
of key policies n Summaries of key news articles n A calendar of security events, including training sessions, presentations, and other activities n Announcements relevant to information security n How-to’s
IS4231 – 05 Developing the Security Program
67
IS4231 – 01 Introduction to Information Security Management
Security Awareness (cont’d.)
68
•
Security poster series
– – –
A simple and inexpensive way to keep security on people’s minds Professional posters can be quite expensive, so in-house development may be the best solution Keys to a good poster series: n Varying
the content and keeping posters updated n Keeping them simple, but visually interesting n Making the message clear n Providing information on reporting violations
IS4231 – 05 Developing the Security Program
69
IS4231 – 01 Introduction to Information Security Management
Security Awareness (cont’d.)
70
•
Trinket programs
– –
Inexpensive on a per-unit basis They can be expensive to distribute Pens and pencils, mouse pads Coffee mugs, plastic cups Hats, T-shirts
•
Types of trinkets
– – –
•
The messages trinket programs impart will be lost unless reinforced by other means
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
71
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
72
•
Organizations can establish Web pages or sites dedicated to promoting information security awareness
–
The challenge lies in updating the messages frequently enough to keep them fresh
•
Tips on creating and maintaining an educational Web site
– –
See what’s already out there Plan ahead
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
73
•
Tips on creating and maintaining an educational Web site (cont’d.)
– – – –
Keep page loading time to a minimum Seek feedback Assume nothing and check everything Spend time promoting your site
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
74
•
Security awareness conference
–
Have a guest speaker or even a mini-conference dedicated to the topic n Perhaps
in association with national security awareness days or campaigns
IS4231 – 05 Developing the Security Program
Summary
75
• • • • • •
Introduction Organizing for security Placing information security within an organization Components of the security program Information security roles and titles Implementing security education, training, and awareness programs
IS4231 – 05 Developing the Security Program
76
Thank you!
Any questions or comments?
IS4231 – 05 Developing the Security Program
05 Developing the Security Program
Objectives
2
•
Upon completion of this material you should be able to:
– – –
Explain the organizational approaches to information security List and describe the functional components of an information security program Determine how to plan and staff an organization’s information security program based on its size
IS4231 – 05 Developing the Security Program
Objectives (cont’d.)
3
•
Upon completion of this material you should be able to: (cont’d.)
–
–
Evaluate the internal and external factors that influence the activities and organization of an information security program List and describe the typical job titles and functions performed …show more content…
in the information security program
IS4231 – 05 Developing the Security Program
Objectives (cont’d.)
4
•
Upon completion of this material you should be able to: (cont’d.)
–
Describe the components of a security education, training, and awareness program and explain how organizations create and manage these programs
IS4231 – 05 Developing the Security Program
Introduction
5
•
Some organizations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security
–
The term “information security program” is used here to describe the structure and organization of the effort that contains risks to the information assets of the organization
IS4231 – 05 Developing the Security Program
Organizing for Security
6
•
Variables involved in structuring an information security program
– – – –
Organizational culture Size Security personnel budget Security capital budget Their security departments are not keeping up with increasingly complex organizational infrastructures
•
As organizations increase in size:
–
IS4231 – 05 Developing the Security Program
7
IS4231 – 01 Introduction to Information Security Management
8
IS4231 – 01 Introduction to Information Security Management
Organizing for Security (cont’d.)
9
•
Information security departments tend to form internal groups
–
To meet long-term challenges and handle day-to-day security operations
• •
Functions are likely to be split into groups Smaller organizations typically create fewer groups
–
Perhaps having only one general group of specialists
IS4231 – 05 Developing the Security Program
Organizing for Security (cont’d.)
10
•
Very large organizations
– – –
More than 10,000 computers Security budgets often grow faster than IT budgets Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organization n Small
organizations spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user
IS4231 – 05 Developing the Security Program
Organizing for Security (cont’d.)
11
•
Very large organizations (cont’d.)
– –
Does a better job in the policy and resource management areas Only 1/3 of organizations handled incidents according to an IR plan Have 1,000 to 10,000 computers Security approach has often matured, integrating planning and policy into the organization’s culture
•
Large organizations
– –
IS4231 – 05 Developing the Security Program
Organizing for Security (cont’d.)
12
•
Large organizations (cont’d.)
–
Do not always put large amounts of resources into security n Considering
involved
the vast numbers of computers and users often
–
They tend to spend proportionally less on security
IS4231 – 05 Developing the Security Program
Security in Large Organizations
13
•
One approach separates functions into four areas:
– – – –
Functions performed by non-technology business units outside of IT Functions performed by IT groups outside of information security area Functions performed within information security department as customer service Functions performed within the information security department as compliance
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
14
•
The CISO has responsibility for information security functions
–
Should be adequately performed somewhere within the organization
•
The deployment of full-time security personnel depends on:
– – –
Sensitivity of the information to be protected Industry regulations General profitability
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
15
•
The more money the company can dedicate to its personnel budget
–
The more likely it is to maintain a large information security staff
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
16
Information security staffing in a large organization
IS4231 – 05 Developing the Security Program
Security in Large Organizations (cont’d.)
17
Information security staffing in a very large organization
IS4231 – 05 Developing the Security Program
Security in Medium-Sized Organizations
18
•
Medium-sized organizations
– – – – –
Have between 100 and 1000 computers Have a smaller total budget Have same sized security staff as the small organization, but a larger need Must rely on help from IT staff for plans and practices Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size
IS4231 – 05 Developing the Security Program
Security in Medium-Sized Organizations (cont’d.)
19
•
Medium-sized organizations (cont’d.)
–
May be large enough to implement a multi-tiered approach to security n With
fewer dedicated groups and more functions assigned to each group
–
Tend to ignore some security functions
IS4231 – 05 Developing the Security Program
Security in Medium-Sized Organizations (cont’d.)
20
IS4231 – 05 Developing the Security Program
Security in Small Organizations
21
•
Small organizations
– – – – –
Have between 10 and 100 computers Have a simple, centralized IT organizational model Spend disproportionately more on security Information security is often the responsibility of a single security administrator Have little in the way of formal policy, planning, or security measures
IS4231 – 05 Developing the Security Program
Security in Small Organizations (cont’d.)
22
•
Small organizations (cont’d.)
– – – – –
Commonly outsource their Web presence or electronic commerce operations Security training and awareness is commonly conducted on a 1-on-1 basis Policies (when they exist) are often issue-specific Formal planning is often part of IT planning Threats from insiders are less likely n Every
employee knows every other employee
IS4231 – 05 Developing the Security Program
Security in Small Organizations (cont’d.)
23
IS4231 – 05 Developing the Security Program
Placing Information Security Within An Organization
24
•
In large organizations
–
InfoSec is often located within the information technology department n Headed
by the CISO who reports directly to the top computing executive, or CIO
•
An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole
IS4231 – 05 Developing the Security Program
Placing Information Security Within An Organization (cont’d.)
25
•
Because the goals and objectives of the CIO and the CISO may come in conflict
– –
It is not difficult to understand the current movement to separate information security from the IT division The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
26
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
27
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
28
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
29
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
30
IS4231 – 05 Developing the Security Program
Placing Information Security Within an Organization (cont’d.)
31
•
Other options
– – – – – –
–
Option 6: Legal Option 7: Internal audit Option 8: Help desk Option 9: Accounting and finance through IT Option 10: Human resources Option 11: Facilities management Option 12: Operations
IS4231 – 05 Developing the Security Program
Components of the Security Program
32
•
Organization’s information security needs
– –
Unique to the culture, size, and budget of the organization Determining what level the information security program operates on depends on the organization’s strategic plan n Also
the plan’s vision and mission statements n The CIO and CISO should use these two documents to formulate the mission statement for the information security program
IS4231 – 05 Developing the Security Program
Components of the Security Program (cont’d.)
33
¨
¨
An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12) Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST SP 800-14)
IS4231 – 05 Developing the Security Program
Elements of a Security Program
34
IS4231 – 01 Introduction to Information Security Management
Information Security Roles and Titles
35
•
Types of information security positions
–
Those that define n Provide
the policies, guidelines, and standards n Do the consulting and the risk assessment n Develop the product and technical architectures n Senior people with a lot of broad knowledge, but often not a lot of depth
–
Those that build n The
real “techies” who create and install security solutions
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
36
•
Types of information security positions (cont’d.)
–
Those that administer n Operate
and administer the security tools and the security monitoring function n Continuously improve the processes
•
A typical organization has a number of individuals with information security responsibilities
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
37
•
Titles used may be different, but most of the job functions fit into one of the following:
–
Chief Information Security Officer (CISO) or Chief Security Officer (CSO) n Equivalent
Security
titles/roles: Manager of Security, Director of
– – – –
Security managers Security administrators and analysts Security technicians Security staffers & watch-standers
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
38
•
Titles used may be different, but most of the job functions fit into one of the following (cont’d.):
– – –
Security consultants Security officers & investigators Help desk personnel
IS4231 – 05 Developing the Security Program
Help Desk Personnel
39
•
Help desk
– – –
An important part of the information security team Enhances the security team’s ability to identify potential problems When a user calls the help desk with a complaint, the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus
IS4231 – 05 Developing the Security Program
Help Desk Personnel (cont’d.)
40
•
Help desk (cont’d.)
–
Because help desk technicians perform a specialized role in information security, they have a need for specialized training
IS4231 – 05 Developing the Security Program
Information Security Roles and Titles (cont’d.)
41
IS4231 – 05 Developing the Security Program
Implementing Security Education, Training, and Awareness Programs
42
•
SETA program
– –
Designed to reduce accidental security breaches Consists of three elements: security education, security training, and security awareness
•
Awareness, training, and education programs offer three major benefits:
– – –
Improving employee behavior Informing employees how to report policy breaches Enabling the organization to hold employees accountable for their actions
IS4231 – 05 Developing the Security Program
Implementing SETA Programs (cont’d.)
43
•
Purpose of SETA is to enhance security:
–
–
–
By building in-depth knowledge, to design, implement, or operate security programs for organizations and systems By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely By improving awareness of the need to protect system resources
IS4231 – 05 Developing the Security Program
Implementing SETA Programs (cont’d.)
44
SETA Framework
IS4231 – 05 Developing the Security Program
Security Education
45
•
Employees within information security may be encouraged to seek a formal education
– –
If not prepared by their background or experience A number of institutions of higher learning, including colleges and universities, provide formal coursework in information security
IS4231 – 05 Developing the Security Program
Security Education (cont’d.)
46
•
A knowledge map
– – –
Can help potential students assess information security programs Identifies the skills and knowledge clusters obtained by the program’s graduates Creating the map can be difficult because many academics are unaware of the numerous sub-disciplines within the field of information security n Each
of which may have different knowledge requirements
IS4231 – 05 Developing the Security Program
Security Education (cont’d.)
47
IS4231 – 05 Developing the Security Program
Security Training
48
•
Involves providing detailed information and hands-on instruction
–
To develop user skills to perform their duties securely
•
Management can either develop customized training or outsource
IS4231 – 05 Developing the Security Program
Security Training (cont’d.)
49
•
Customizing training for users
–
By functional background n General
user n Managerial user n Technical user
–
By skill level n Novice n Intermediate n Advanced
IS4231 – 05 Developing the Security Program
Training Techniques
50
•
Using the wrong method
–
Can hinder the transfer of knowledge n Leading
to unnecessary expense and frustrated, poorly trained employees
•
Good training programs
–
Take advantage of the latest learning technologies and best practices
IS4231 – 05 Developing the Security Program
Training Techniques (cont’d.)
51
•
Training is often for one or a few individuals
–
Waiting until there is a large-enough group for a class can cost companies lost productivity Increased use of short, task-oriented modules n Available
•
Other best practices
–
during the normal work week
•
Selection of the training delivery method
–
Not always based on the best outcome for the trainee n Often
overridden by budget, scheduling, and needs of the organization
IS4231 – 05 Developing the Security Program
Training Techniques (cont’d.)
52
•
Types of delivery methods
– – – – – – –
One-on-one Formal class Computer-based training (CBT) Distance learning/web seminars User support group On-the-job training Self-study (non-computerized)
IS4231 – 05 Developing the Security Program
Training Techniques (cont’d.)
53
•
Selecting training staff
– – – – –
Use a local training program Use a continuing education department Use another external training agency Hire a professional trainer/consultant from an accredited institution to conduct on-site training Organize and conduct training in-house using organization’s own employees
IS4231 – 05 Developing the Security Program
Implementing Training
54
•
Seven-step methodology generally applies:
– – – – – – –
Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program
IS4231 – 05 Developing the Security Program
Security Awareness
55
•
•
One of the least frequently implemented, but most effective security methods is the security awareness program Security awareness programs:
–
–
Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure Remind users of the procedures to be followed
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
56
•
Best practices
– – – – – – –
Focus on people Refrain from using technical jargon Use every available venue Define learning objectives, state them clearly, and provide sufficient detail and coverage Keep things light Don’t overload the users Help users understand their roles in InfoSec
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
57
•
Best practices (cont’d.)
– – –
Take advantage of in-house communications media Make the awareness program formal n Plan
and document all actions
Provide good information early, rather than perfect information late
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
58
•
The ten commandments of information security awareness training
– – – – –
Information security is a people, rather than a technical, issue If you want them to understand, speak their language If they cannot see it, they will not learn it Make your point so that you can identify it and so can they Never lose your sense of humor
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
59
•
The ten commandments of information security awareness training (cont’d.)
– – – – –
Make your point, support it, and conclude it Always let the recipients know how the behavior that you request will affect them Ride the tame horses Formalize your training methodology Always be timely, even if it means slipping schedules to include urgent information
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
60
•
Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization’s information
–
Security training and awareness activities can be undermined if management does not set a good example
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
61
•
•
•
Effective training and awareness programs make employees accountable for their actions Dissemination and enforcement of policy become easier when training and awareness programs are in place Demonstrating due care and due diligence can help indemnify the institution against lawsuits
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
62
•
•
•
Awareness can take on different forms for particular audiences A security awareness program can use many methods to deliver its message Recognize that people tend to practice a tuning out process (acclimation)
–
Awareness techniques should be creative and frequently changed
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
63
•
Many security awareness components are available at little or no cost
–
Others can be very expensive Videos Posters and banners Lectures and conferences Computer-based training
•
Examples of security awareness components
– – – –
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
64
•
Examples of security awareness components (cont’d.)
– – – –
Newsletters Brochures and flyers Trinkets (coffee cups, pens, pencils, T-shirts) Bulletin boards
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
65
•
Security newsletter
– – –
A cost-effective way to disseminate security information Newsletters can be in the form of hard copy, e-mail, or intranet Topics can include threats to the organization’s information assets, schedules for upcoming security classes, and the addition of new security personnel
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
66
•
Security newsletter (cont’d.)
–
–
The goal is to keep the idea of information security uppermost in users’ minds and to stimulate them to care about security Newsletters might include: n Summaries
of key policies n Summaries of key news articles n A calendar of security events, including training sessions, presentations, and other activities n Announcements relevant to information security n How-to’s
IS4231 – 05 Developing the Security Program
67
IS4231 – 01 Introduction to Information Security Management
Security Awareness (cont’d.)
68
•
Security poster series
– – –
A simple and inexpensive way to keep security on people’s minds Professional posters can be quite expensive, so in-house development may be the best solution Keys to a good poster series: n Varying
the content and keeping posters updated n Keeping them simple, but visually interesting n Making the message clear n Providing information on reporting violations
IS4231 – 05 Developing the Security Program
69
IS4231 – 01 Introduction to Information Security Management
Security Awareness (cont’d.)
70
•
Trinket programs
– –
Inexpensive on a per-unit basis They can be expensive to distribute Pens and pencils, mouse pads Coffee mugs, plastic cups Hats, T-shirts
•
Types of trinkets
– – –
•
The messages trinket programs impart will be lost unless reinforced by other means
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
71
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
72
•
Organizations can establish Web pages or sites dedicated to promoting information security awareness
–
The challenge lies in updating the messages frequently enough to keep them fresh
•
Tips on creating and maintaining an educational Web site
– –
See what’s already out there Plan ahead
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
73
•
Tips on creating and maintaining an educational Web site (cont’d.)
– – – –
Keep page loading time to a minimum Seek feedback Assume nothing and check everything Spend time promoting your site
IS4231 – 05 Developing the Security Program
Security Awareness (cont’d.)
74
•
Security awareness conference
–
Have a guest speaker or even a mini-conference dedicated to the topic n Perhaps
in association with national security awareness days or campaigns
IS4231 – 05 Developing the Security Program
Summary
75
• • • • • •
Introduction Organizing for security Placing information security within an organization Components of the security program Information security roles and titles Implementing security education, training, and awareness programs
IS4231 – 05 Developing the Security Program
76
Thank you!
Any questions or comments?
IS4231 – 05 Developing the Security Program