1/43

Lecture
2
03-02-2020

Information
Security
Management
Dr. Muhammad Nadeem Sial
muhammad.sial@kcl.ac.uk, nadeem_606@yahoo.com
Course Outline
• Information Security Governance & Risk Management
• Cryptography
• Access Control
• Telecommunication and Network Security
• Software Development Security
• Security Architecture & Design
• Operations Security
• Business Continuity & Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environment) Security 3
Course Outline (CISSP 7Th Edition by James Michael Stewart)
• Info Security Governance & Risk Mgt
• Chapter 1: Security Governance Through Principles and
Policies
• Chapter 2: Personnel Security and Risk Mgt Concepts
• Chapter 5: Protecting Security of Assets
• Cryptography
• Chapter 6: Cryptography and Symmetric Key Algorithms • Operations Security
• Chapter 7: PKI and Cryptographic Applications
• Access Control
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Telecommunication and NW Security
• Chapter 11: Secure Network Architecture and Securing
Network Components
• Chapter 12: Secure Comm and Network Attacks
• Software Dev Security
• Chapter 20: Software Dev Security
• Chapter 21 Malicious Code and Application Attacks
• Security Architecture & Design
• Chapter 8: Principles of Security Models, Design &
Capabilities
• Chapter 9: Security Vulnerabilities, Threats and
Countermeasures
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations
• Business Continuity & Disaster Recovery Planning
• Chapter 3 Business Continuity Planning
• Chapter 17 Preventing and Responding to Incidents
• Chapter 18 Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 19: Incidents and Ethics
• Physical (Environment) Security
• Chapter 10: Physical Security Requirements
4
Course Outline (ISM Standards)
• FIPS-140-2 (Radio Encryptors, Crypto Modules, IP Encryptor,
Encryption Boards, Secure USB / Token, Secure Gateway)
• Common Criteria (IDS, IPS, OS, Firewall, Router, Trusted computing,
Enterprise Security Mgmt Access Control, VoIP, IPE, Mobile Devices,
Biometric Verification Mechanisms)
• Security & Audit Frameworks, Methodologies and Architecture
• ISO 27001:2013 & 2005
• CoBIT
• COSO
• NIST SP 800-53, Minimum Security Controls for Federal IT Systems
• for Information Security Management
SABSA (Zachman Framework)
• ToGAF
• Risk Assessment Methodologies / Risk Analysis & Management
• SP 800-30: Risk Management Guide for IT Systems
• ISO 27005, IT Security techniques, Information security risk mgmt
• ISO 31000 Risk Management
• CCTA Risk Analysis & Management Method (CRAMM)
• NIST SP 800-160 Volume 1 (NIST 800-64), Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy
Secure Systems
• Operationally Critical Threat Asset Vulnerability Evaluation (OCTAVE)
• Information Technology Infrastructure Library (ITIL) - Best practices
for IT Service Management by UK government
• Security Models
• Special Publication 800-27, Engg Principles for Information Tech
Security (EP-ITS), NIST 33 Security Principles
• ISO/IEC 17799 or BS 7799: Information Technology – Code of Practice
• RFC 2196, Site Security Handbook
• SP 800-12, Computer Security Handbook
• SP 800-14, Generally Accepted Security Principles & Practices
• SP 800-18, Guide for Developing Security Plans
• SP 800-26, Security Self-Assessment Guide-IT Systems
• VISA International Security Model
• SP 800-37, Guidelines for the Security Certification and Accreditation
of Federal IT Systems
5
6
Common Criteria FIPS-140-2 Phases of System Risk Assessment Security & Audit
• IDS • Radio Encryptors Development Life Methodologies / Frameworks,
• IPS • Crypto Modules Cycle (SDLC) Risk Analysis & Methodologies and
• NIST SP 800-160 Management Architecture
• OS • IP Encryptor Information
• Firewall • Encryption Technology Volume 1 (NIST • SP 800-30 • ISO27001
• Router
Operationally 800-64) • ISO 27005 • CoBIT
Boards Infrastructure
• Trusted computing
Critical Threat • ISO 31000 Risk • COSO
• Secure USB / Library (ITIL) - Best
• Enterprise Security
Asset Vulnerability Management
Token practices for IT • NIST 800-53
Management Access Evaluation
• Secure Gateway Service • CCTA Risk • SABSA (Zachman
Control (OCTAVE)
Management by Analysis & Framework)
• VoIP
UK government Management • ToGAF
• IP Encryptor
• Method (CRAMM)
Mobile Devices
• Biometric
Verification
Mechanisms
Projects & Case Studies
Projects & Case Studies
Topic Proposal & Case Study Project Report Presentation
Approval • Study relevant • Prepare results, • Presentation will
• Submit your documents/ vulnerabilities, be for 15-20
proposed topic standards suggestions and minutes
with objectives/ • Study overall • After
scope / selected organizational IS assessment along presentation
organization / architecture / with there will be 5
system for case system security recommendation mins question &
study architecture • Deadline: 2 answer session
• Select an • Apply selected Weeks after Mid
organization/ standard for Term Exam
system to apply organization/
the selected topic system
for Case Study assessment
• Deadline: 17 Feb, • Weaknesses?
2020 • Suggestions?
• Improvements?

7
Information Security
Management
Introduction

8
Threat Modeling

9
Risk Management

Identify
the
Risk Areas

Re-evaluate
the Risks Assess the
Risk Risks

Management
Implement Risk
Cycle Risk Assessment
Management Develop Risk
Actions Risk Control (Mitigation)
Management
Plan

10
Distinct Communities
of Interest?

11
Distinct Communities of Interest

Information Information Non-technical

security technology business
managers and managers and managers and
professionals professionals professionals

12
Communities of Interest

InfoSec community:
• protect information
assets from threats

IT community:
Business • support business
community: objectives by supplying
• policy and resources appropriate information
technology

13
InfoSec Components?

14
InfoSec Components

15
National Sec Telecomm & IS Sec Committee (NSTISSC) : Security Model

16
Mgmt & Roles?

17
What Is Management?

• A process of achieving objectives using a given set of

resources
• To manage the information security process, first
understand core principles of management
• A manager is
• “Someone who works with and through other people by
coordinating their work activities in order to accomplish
organizational goals”

18
Managerial Roles

• Informational role: Collecting, processing, and using information to

achieve the objective
• Interpersonal role: Interacting with superiors, subordinates, outside
stakeholders, and other
• Decisional role: Selecting from alternative approaches and resolving
conflicts, dilemmas, or challenges

19
Differences Between Leadership and Management

• The leader influences employees so that they are willing to

accomplish objectives
• He or she is expected to lead by example and demonstrate
personal traits that inculcate a desire in others to follow
• Leadership provides purpose, direction, and motivation to
those that follow
• A manager administers the resources of the organization,
budgets, authorizes expenditure

20
Characteristics of a Leader

1. Bearing 8. Integrity
2. Courage 9. Judgment
3. Decisiveness 10. Justice
4. Dependability 11. Knowledge
5. Endurance 12. Loyalty
6. Enthusiasm 13. Tact
7. Initiative 14. Unselfishness

21
What Makes a Good Leader? Action Plan

Know yourself and seek self-

improvement
Be technically and tactically
proficient
Seek responsibility and take
responsibility for your actions
Make sound and timely decisions
Set the example
Know your [subordinates] and
look out for their well-being
Keep your subordinates informed
Develop a sense of responsibility in
your subordinates
Ensure the task is understood,
supervised, and accomplished
Build the team
Employ your team in accordance with
its capabilities
22
Leadership Quality & Types
• A leader must:
• BE a person of strong and honorable character
• KNOW you, the details of your situation, the standards to
which you work, human nature, and your team
• DO by providing purpose, direction, and motivation to your
team
• Three basic behavioral types of leaders:
• Autocratic
• Democratic
• Laissez-faire
23
Characteristics of
Management?

24
25
• Popular management theory using principles
of management into planning, organizing,
POLC
leading, and controlling (POLC)
• Traditional management theory using
principles of planning, organizing, staffing,
directing, and controlling (POSDC)
POSDC
Characteristics of Management
The Planning–Controlling Link

26
Planning & Organization
• Planning: process that develops, creates, and implements strategies for
the accomplishment of objectives
• Three levels of planning
• Strategic
• Tactical
• Operational
• Organization: structuring of resources to support the accomplishment
of objectives

27
Leadership

• Encourages the implementation of

• the planning and organizing functions,
• Includes supervising employee behavior, performance, attendance,
and attitude
• Leadership generally addresses the direction and
motivation of the human resource

28
Control

• Control:
• Monitoring progress toward completion
• Making necessary adjustments to achieve the desired
objectives
• Controlling function determines what must be
monitored as well as using specific control tools to
gather and evaluate information

29
Control Tools

• Four categories:
• Information
• Information flows/ communications
• Financial
• Guide use of monetary resources (Return on Investment-ROI,
cost/benefit analysis-CBA,..)
• Operational
• PERT, Gantt, process flow
• Behavioral
• Human resources
30
The Control Process

31
Solving Problems
• Step 1: Recognize and Define the Problem
• Step 2: Gather Facts and Make Assumptions
• Step 3: Develop Possible Solutions (Brainstorming)
• Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis)
• Step 5: Select, Implement, and Evaluate a Solution

32
Feasibility Analyses
• Economic feasibility assesses costs and benefits of a
solution
• Technological feasibility assesses an organization’s
ability to acquire and manage a solution
• Behavioral feasibility assesses whether members of the
organization will support a solution
• Operational feasibility assesses if an organization can
integrate a solution

33
Principles Of
Information Security
Management?

34
Principles Of Information Security Management

• The extended characteristics of information

security are known as the six Ps:
• Planning
• Policy
• Programs
• Protection
• People
• Project Management

35
InfoSec Planning
• Planning as part of InfoSec management
• is an extension of the basic planning model discussed earlier
• Included in the InfoSec planning model are
• activities necessary to support the design, creation, and
implementation of information security strategies as they
exist within the IT planning environment

36
InfoSec Planning Types

• Several types of InfoSec plans exist:

• Incident response
• Business continuity
• Disaster recovery
• Policy
• Personnel
• Technology rollout
• Risk management and
• Security program including education, training and awareness

37
Policy
• Policy: set of organizational guidelines that dictates certain
behavior within the organization
• In InfoSec, there are three general categories of policy:
• General program policy (Enterprise Security Policy)
• An issue-specific security policy (ISSP)
• E.g., email, Intenert use
• System-specific policies (SSSPs)
• E.g., Access control list (ACLs) for a device

38
Programs

• Programs are operations managed as

• specific entities in the information security domain
• Example:
• A security education training and awareness (SETA) program is one
such entity
• Other programs that may emerge include
• a physical security program, complete with fire, physical access,
gates, guards, and so on

39
Protection

• Risk management activities, including

• risk assessment and control, &
• Protection mechanisms, technologies & tools
• Each of these mechanisms represents some aspect
of the management of specific controls in the
overall security plan

40
People
• People are the most critical link in the information security
program
• Human firewall
• It is imperative that managers continuously recognize the
crucial role that people play; includes
• information security personnel and the security of personnel, as well as
aspects of the SETA program

41
Project Management

• Project management discipline should be present

throughout all elements of the information security
program
• Involves
• Identifying and controlling the resources applied to the
project
• Measuring progress and adjusting the process as progress is
made toward the goal

42
43
Q&A

44