P. 1
Information Systems Security Officer

Information Systems Security Officer

|Views: 27|Likes:
Published by mabesnina

More info:

Published by: mabesnina on Feb 13, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PPT, PDF, TXT or read online from Scribd
See more
See less





Information Systems Security Officer

CS 996: Information Security Management Pavel Margolin 4/20/05

Overview Who is an ISSO?  Duties and Responsibilities  Planning  Establishing the CIAPP  InfoSec Functions  InfoSec in the Government  .

who reports to the CEO. Leader of the Information Security (InfoSec) organization. Qualifications    Manage and organize people Communicate to upper management without much technical details Have enough technical expertise to understand systems and make decisions .Who is an ISSO?     ISSO ± Information Systems Security Officer Reports to the Chief Information Officer (CIO).

Duties and Responsibilities Establishing and enforcing Corporate Information Assets Protection Program (CIAPP)  Managing people  Managing the business of CIAPP  Managing CIAPP processes  Hiring InfoSec staff  Report to upper management  .

and objectives Short-range plan Supports CIAPP and InfoSec functional goals and objectives Identify and implement projects to accomplish the goals and objectives in the ISSSP and ITP Plan of projects for the year  Tactical Plan (ITP)    Annual Plan (IAP)   . goals.Planning  Strategic Plan (ISSSP)   Compatible with Strategic Business Plan Long-term direction.

mission. mission and quality statements InfoSec strategic. tactical and annual business plans Information and systems legal. ethical. tactical. and annual business plans InfoSec vision. and best business practices Overall information assets protection plans. policies. and procedures Current CIAPP-related and InfoSec policies Current CIAPP-related and InfoSec procedures Other topics as deemed appropriate by the ISSO . and quality statements Corporate strategic.Establishing the CIAPP           Reasons for the CIAPP Corporate vision.

CIAPP Process Costs Profits Sales Public Relations Stockholders¶ value Laws Regulations Business Practices Ethics ‡Risk Assessments ‡Vulnerability assessments ‡Threat Assessments ‡Limited Risk assessments ‡Risk analyses ‡Best InfoSec Practices Business Decisions InfoSec Policies InfoSec Procedures InfoSec Processes CIAPP .

3. Identifying the value of the information Access to information systems Access to specific applications and files Audit trails and their review Reporting and response in the event of a violation Minimum protection requirements for the hardware. Introduction Section Purpose Section Scope Section Responsibilities Requirements Section A. D. E. 4. 2.  Physical Security . 5. F. C. firmware and software Requirements for InfoSec procedures at other departments and lower levels of the corporation Optional if Physical Security is handled by the Director of Security 6.Example CIAPP Requirements and Policy Directive 1. B. G.

InfoSec Functions          Processes Valuing Information Awareness Access Control Evaluation of all hardware. firmware and software Risk Management Security Tests and evaluations program Noncompliance Inquiries Contingency and emergency planning and disaster recovery program (CEP-DR) .

Function Drivers Requirements-Drivers ‡Customers ‡Contracts ‡InfoSec Custodians ‡Users ‡Management ‡Audits ‡Tests & Evaluations ‡Other employees ‡Laws ‡Regulations ‡Non-compliance Inquiries ‡Investigations ‡Trade articles ‡Technical Bulletings ‡Business Plans ‡ISSO¶s plans ‡Best business practices ‡Best InfoSec practices CIAPP ISSO Organizational Functions ‡Identification of InfoSec requirements ‡Access control ‡Non-compliance Inquiries (NCI) ‡Disaster Recovery/Emergency Planning ‡Tests and Evaluations ‡Intranet Security ‡Internet and Web Site Security ‡Security Applications Protection ‡Security Software Development ‡Software Interface InfoSec Evaluations ‡Access Control Violations Analysis ‡Systems¶ Approvals ‡CIAPP Awareness and Training ‡Contractual Compliance Inspections ‡InfoSec Risk Management ISSO¶s CIAPP organizational requirements Responsibilities Charter .

For Official Use Only Unclassified but Sensitive Information Unclassified  Unclassified    . Ex: Sensitive Compartmented Information (SCI).InfoSec in the Government  National Security Classified Information     Confidential ± loss of this information can cause damage to national security Secret ± loss of this information can cause serious damage to national security Top Secret ± loss of this information can cause grave damage to national security Black/Compartmented ± Granted on a need to know (NTK) basis.

rules. practices that regulate how organizations handle national security data. its functions and how the system was designed .InfoSec Requirements in the Government     InfoSec policy ± laws. Accountability ± assigning responsibility and accountability to individuals or groups who deal with national security information Assurance ± guarantees that the InfoSec policy is implemented correctly and the InfoSec elements accurately mediate and enforce the policy Documentation ± records how a system is structured.

or DoS Provide assurances of:      Compliance with government and contractual obligations and agreements Confidentiality of all classified information Integrity of information and related processes Availability of information Usage by authorized personnel only of the information and AIS  Identification and elimination of fraud. waste. destruction. modification. damage. and abuse .InfoSec Objectives in the Government    Protect and defend all information used by an AIS (automated information system) Prevent unauthorized access.

NTK. authorization. and are familiar with internal security practices Enforce security policies and safeguards on personnel having access to an IS Ensure audit trails are reviewed periodically Initiate protective and corrective measures Report security incidents in accordance with agency specific policy Report the security status of the IS Evaluate know vulnerabilities to determine if additional security is needed . used.ISSO at Gov¶t Agencies           Maintain a plan site security improvement Ensure IS systems are operated. maintained and disposed of properly Ensure IS systems are certified and accredited Ensure users and personnel have required security clearances.

The analysis will include a description of the management/technology team required to successfully complete the accreditation process  Intermediate Level   Advanced Level  . For a new system architecture.Levels of Performance  Entry Level  Identify vulnerabilities and recommend security solutions required to return the system to an operational level of assurance. policy and training requirements in support of upper management. investigate and document system security technology. analyze and evaluate system security technology. policies and training requirements to assure system operation at a specified level of assurance For an accreditation action.

Training.Duties of Gov¶t ISSO  Develop Certification and Accreditation Posture      Plan for Certification and Accreditation Create CIA Policy Control Systems Policy Culture and Ethics Incidence Response  Implement Site Security Policy       Provide CIA Ensure Facility is approved Manage Operations of Information Systems Regulate General Principles  Access Control. Legal aspects. etc Security Management Access Controls   Human Access Key Management  Incident Response . Awareness. CC.

Duties (continued)  Enforce and verify system security policy       CIA and Accountability Security Management Access Controls Automated Security Tools Handling Media Incident Response Security Continuity Reporting Report Security Incidents Law Report Security Status of IS as required by upper management Report to Inspector General (IG)  Report on site security Status      .

Duties (continued)  Support Certification and Accreditation Certification Functions  Accreditation Functions  Respond to upper management requests  .

Dr.gov/instructions. Gerald L. ³The Information Systems Security Officer¶s Guide: Establishing and Managing an Information Protection Program´ ³Information Assurance Training Standard for Information Systems Security Officers´ http://www.cnss.References   Kovacich..html .

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->