Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.

Published byChristian McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get."— Presentation transcript:

1 INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 The Role of Planning Successful organizations utilize planning Planning involves – Employees – Management – Stockholders – Other outside stakeholders – The physical and technological environment – The political and legal environment – The competitive environment

3 The Role of Planning (cont’d.) Strategic planning includes: – Vision statement – Mission statement – Strategy – Coordinated plans for sub units

4 Precursors to planning Values Statement Establishes organizational principles Vision Statement What the organization wants to become Mission Statement what the organization does and for whom The values, vision, and mission statements together provide the foundation for planning

5 Strategic Planning Strategy is the basis for long-term direction Strategic planning guides organizational efforts

6 Strategic Planning - Discussion Why is it necessary to have a strategic plan in place before creating lower level plans? Are there downsides to this approach?

7 Planning Levels Strategic goals are translated into tasks Objectives should be SMART Strategic planning then begins a transformation from general to specific objectives

8 Planning Levels (cont’d.) Strategic Planning Tactical Planning Operational Planning

9 Planning and the CISO Elements of a strategic plan – Executive summary – Mission statement and vision statement – Organizational profile and history – Strategic issues and core values – Program goals and objectives – Management/operations goals and objectives – Appendices (optional)

10 Information Security Governance Governance of information security is a strategic planning responsibility – Importance has grown in recent years Information security objectives must be addressed at the highest levels of an organization's management team – To be effective and offer a sustainable approach

11 Desired Outcomes Strategic alignment Risk management Resource management Performance measurement Value delivery

12 Implementing Information Security Governance Figure 2-6 General Governance Framework Source: IDEAL is a service mark of Carnegie Mellon University

13 Implementing Information Security Governance (cont’d.) Figure 2-7 The IDEAL model governance framework Source: IDEAL is a service mark of Carnegie Mellon University

14 Planning for Information Security Implementation Source: Information Security Governance: A Call to Action

15 Planning For Information Security Implementation (cont’d.) Implementation can begin – After plan has been translated into IT and information security objectives and tactical and operational plans Methods of implementation – Bottom-up – Top-down

16 Planning For Information Security Implementation (cont’d.) Source: Course Technology/Cengage learning

17 System Development Life Cycle A methodology for the design/implementation of an information system SecSDLC methodology is similar to SDLC

18 Identification of specific threats and the risks they represent Design and implementation of specific controls to counter those threats and manage risks posed to the organization Security Systems Development Life Cycle

19 Phase begins with directive from management specifying the process, outcomes, and goals of the project and its budget Feasibility analysis Determines whether the organization has the resources and commitment to conduct a successful security analysis and design Security Systems Development Life Cycle: Investigation

20 Prepare analysis of existing security policies and programs, along with known threats and current controls Analyze relevant legal issues that could affect the design of the security solution Security Systems Development Life Cycle: Analysis

21 Table 2-1 Threats to Information Security Source: Course Technology/Cengage Learning (adapted from Whitman, 2003) SecSDLC Analysis: Threats to Information Security

22 Vulnerability SecSDLC Analysis: Threats to Information Security Attack Exploit Ex. Java Vulnerability Patch ….and a week laterJava Vulnerabilityweek later

23 – Malicious code – Hoaxes – Back doors – Password crack – Brute force – Dictionary – Denial-of-service (DoS) and distributed denial-of-service (DDoS) – Spoofing – Man-in-the-middle – Spam – Mail bombing – Sniffer – Social engineering – Buffer overflow – Timing SecSDLC Analysis: Common Attacks

24 What are some ways to understand the enemy when it comes to threats? How do you cover all your bases? What are other categories of threats? SecSDLC Analysis: Threats to Information Security

25 Prioritize the risk posed by each category of threat Identify and assess the value of your information assets – Assign a comparative risk rating or score to each specific information asset SecSDLC Analysis: Risk Management

26 Design in the SecSDLC – Create and develop a blueprint for security – Examine and implement key policies – Evaluate the technology needed to support the security blueprint – Generate alternative solutions – Agree upon a final design Security models may be used to guide the design process Security Systems Development Life Cycle: Design

27 A critical design element of the information security program is the information security policy Management must define the types of security policy Integral part of design: SETA program – Consists of: Security education, security training, and security awareness – Purpose: enhance security Security Systems Development Life Cycle: Design

28 Design controls and safeguards – Used to protect information from attacks by threats Design controls and safeguards (Categories): 1. Managerial controls 2. Operational controls 3. Technical controls Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Design

29 Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Design

30 Contingency planning (Chapter 3) – Prepare, react and recover from circumstances that threaten the organization Types of contingency planning – Incident response planning (IRP) – Disaster recovery planning (DRP) – Business continuity planning (BCP) Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Design

31 Physical security – Design, implementation, and maintenance of countermeasures that protect the physical resources of an organization Physical resources include – People – Hardware – Supporting information system elements Security Systems Development Life Cycle: Design

32 Security solutions are acquired, tested, implemented, and tested again Personnel issues are evaluated and specific training and education programs conducted Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Implementation

33 Information security professionals – Chief information officer (CIO) – Chief information security officer (CISO) – Security managers – Security technicians – Data owners – Data custodians – Data users Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Implementation Professional certifications – CISSP – SSCP – GIAC – Security + – CISM

34 Once program is implemented, it must be: Operated Properly managed Timely (i.e. up to date using established procedures) If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Maintenance

35 Aspects of a maintenance model – External monitoring – Internal monitoring – Planning and risk assessment – Vulnerability assessment and remediation – Readiness and review – Vulnerability assessment Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Maintenance

36 Introduction to the Security Systems Development Life Cycle (cont’d.) Figure 2-11 Maintenance model Source: Course Technology/Cengage learning Security Systems Development Life Cycle: Maintenance

37 Security program management (Chapter 6) – A formal management standard can provide some insight into the processes and procedures needed – Examples include the BS7799 / ISO17799 / ISO27xxx model or the NIST models described earlier Introduction to the Security Systems Development Life Cycle (cont’d.) Security Systems Development Life Cycle: Maintenance

38 Summary Information security governance Planning for information security implementation Introduction to the security systems development life cycle

39 Table 2-1 Threats to Information Security Source: Course Technology/Cengage Learning (adapted from Whitman, 2003) SecSDLC Analysis: Threats to Information Security

Download ppt "INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get."

Similar presentations

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Security Policy

Information Security Policy
Information Security Policy

Information Security Policy
Security and Personnel

Security and Personnel
Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
Security Controls – What Works

Security Controls – What Works
Planning and Strategic Management

Planning and Strategic Management
Management of Information Security Chapter 2: Planning for Security

Management of Information Security Chapter 2: Planning for Security
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Introduction to Information Security

Introduction to Information Security
Database Administration

Database Administration
Information Systems Security Officer

Information Systems Security Officer
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Similar presentations

Ads by Google