Professional Documents
Culture Documents
Objectives
Upon completion of this material you should be able to:
Reduced risk
Compliance with laws and regulations
Assurance of operational continuity, information integrity,
and confidentiality
Bulls-eye model
Networks: threats first meet the organization’s network
Systems: computers and manufacturing systems
Applications: all applications systems 5
8
Figure 4-2 Policies, standards and practices
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
ENTERPRISE INFORMATION SECURITY
POLICY (EISP)
Sets strategic direction, scope, and tone for organization’s
security efforts
Assigns responsibilities for various areas of information security
10
11
ISSP topics
Email and internet use
Minimum system configurations
Prohibitions against hacking
Home use of company-owned computer equipment
Use of personal equipment on company networks
Use of telecommunications technologies
Use of photocopy equipment
13
14
Systems management
Management of stored materials
Employer monitoring
Virus protection
Physical security
15
Encryption
16
17
18
19
20
21
22
Figure 4-5 Windows XP ACL
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
TECHNICAL SPECIFICATIONS SYSSPS - CONTD
Configuration rules
Specific configuration codes entered into security systems
Guide the execution of the system when information is
passing through it
Many security systems require specific configuration scripts
telling the systems what actions to perform on each set of
information they process
23
25
Distribution
26
POLICY COMPREHENSION
27
28
Figure 4-10 The VigilEnt policy center
29
30
Figure 4-11 A sample coverage matrix
Lest you believe that the only reason to have policies is to avoid
litigation, it is important to emphasize the preventative nature of
policy
Policies exist, first and foremost, to inform employees of what is and
is not acceptable behavior in the organization
Policy seeks to improve employee productivity, and prevent
potentially embarrassing situations
31
System-Specific Policy
32
33
OBJECTIVES
34
35
36
37
38
39
40
43
Figure 5-2 Example of information security staffing in a very large organization
45
47
49
Figure 5-5 Wood’s Option 1: Information security reports to information technology department
Source: From Information Security Roles and
Management of Information Security, 3rd ed. Responsibilities Made Easy, used with permission.
PROS/CONS
Widespread use
Close to CEO
Within IT dept
Conflict of interest
50
PLACING INFORMATION SECURITY,
OPTION 2: SECURITY DEPT
51
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department
Source: From Information Security Roles and
Management of Information Security, 3rd ed. Responsibilities Made Easy, used with permission.
PROS/CONS
Also popular
In a dept that focuses on security
Preventive viewpoint
Cultural differences
52
PLACING INFORMATION SECURITY,
OPTION 3: ADMINISTRATIVE SERVICES
53
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department
Source: From Information Security Roles and
Management of Information Security, 3rd ed. Responsibilities Made Easy, used with permission.
PROS/CONS
Close to CEO
Focus on people
54
PLACING INFORMATION SECURITY,
OPTION 4: INSURANCE AND RISK MGMT
55
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department
Source: From Information Security Roles and
Management of Information Security, 3rd ed. Responsibilities Made Easy, used with permission.
PLACING INFORMATION SECURITY,
OPTION 5: STRATEGY AND PLANNING
56
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department
Source: From Information Security Roles and
Management of Information Security, 3rd ed. Responsibilities Made Easy, used with permission.
COMPONENTS OF THE SECURITY PROGRAM
57
58
Figure 5-10 Information security roles
59
60
61
Source: National Institute of Standards and Technology.
An Introduction to Computer Security: The NIST
Handbook. SP 800-12.
Management of Information Security, 3rd ed. http://csrc.nist.gov/publications/nistpubs/800-12/.
SECURITY EDUCATION
Employees within information security may be encouraged to
seek a formal education
Ifnot prepared by their background or experience
A number of institutions of higher learning, including colleges and
universities, provide formal coursework in information security
62
63
Figure 5-11 Information security knowledge map
Technical user
By skill level
Novice
Intermediate
Advanced
64
65
66
67
68
69
71