Presentation is loading. Please wait.

Presentation is loading. Please wait.

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 8 Information Security Implementation & Maintenance.

Published byRosanna Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 8 Information Security Implementation & Maintenance."— Presentation transcript:

1 CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 8 Information Security Implementation & Maintenance

2 CC3020N Fundamentals of Security Management Slide 2 Learning Objectives To understand how an organization’s security blueprint becomes a project plan (implementation) To understand the numerous organizational considerations that must be addressed by a project plan To understand Information Security Maintenance

3 CC3020N Fundamentals of Security Management Slide 3 Introduction Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one. In other words, information security is a continuous series, or chain of projects. Organization translates blueprint for information security into a concrete project plan.

4 CC3020N Fundamentals of Security Management Slide 4 Project Management for IS Major steps in executing project plan are: Planning the project Supervising tasks and action steps Wrapping up Each organization must determine its own project management methodology for IT and information security projects.

5 CC3020N Fundamentals of Security Management Slide 5 Project Plan Development Three core elements are used in the creation of a project plan: work time, resources, project deliverables

6 CC3020N Fundamentals of Security Management Slide 6 Project Plan Development (cont.) Project plan development is the process of integrating all these elements into a cohesive plan with the goal of completing the project within the allotted work time, using no more than the allotted project resources. Changing any one element usually affects the accuracy and reliability of the estimates of the other two, and likely means that the project plan must be revised.

7 CC3020N Fundamentals of Security Management Slide 7 Developing the Project Plan Creation of project plan can be done using Work Breakdown Structure (WBS) Major project tasks in WBS are: work to be accomplished; individuals assigned; start and end dates; amount of effort required; estimated capital and non-capital expenses; identification of dependencies between/among tasks Each major WBS task further divided into smaller tasks or specific action steps

8 CC3020N Fundamentals of Security Management Slide 8 Example - Early Draft WBS Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one. In other words, information security is a continuous series, or chain, of projects Organization translates blueprint for information security into a concrete project plan

9 CC3020N Fundamentals of Security Management Slide 9 Later Draft WBS Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one. In other words, information security is a continuous series, or chain, of projects Organization translates blueprint for information security into a concrete project plan

10 CC3020N Fundamentals of Security Management Slide 10 Later Draft WBS Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one. In other words, information security is a continuous series, or chain, of projects Organization translates blueprint for information security into a concrete project plan

11 CC3020N Fundamentals of Security Management Slide 11 Project Planning Considerations As project plan is developed, further details can be added. Special considerations include:  finance  priority  time and schedule  staff  procurement  organizational feasibility  training

12 CC3020N Fundamentals of Security Management Slide 12 Financial Considerations No matter what information security needs exist, amount of effort that can be expended depends on funds available. –Cost-benefit analysis must be verified prior to development of project plan. –Both public and private organizations have budgetary constraints, though of a different nature. –To justify an amount budgeted for a security project at either public or private organizations, it may be useful to benchmark expenses of similar organizations.

13 CC3020N Fundamentals of Security Management Slide 13 Priority Considerations In general, most important information security controls should be scheduled first. Implementation of controls is guided by prioritization of threats and value of threatened information assets.

14 CC3020N Fundamentals of Security Management Slide 14 Time and Scheduling Considerations Time impacts many points in the development of a project plan, including: –Time to order, receive install and configure security control –Time to train the users –Time to realize return on investment of control

15 CC3020N Fundamentals of Security Management Slide 15 Staffing (HR) Considerations Project plan can be constrained by lack of enough qualified, trained, and available personnel. Experienced staff often needed to implement available technologies, develop and implement policies and training programs.

16 CC3020N Fundamentals of Security Management Slide 16 Procurement Considerations IT and information security planners must consider acquisition of goods and services. Many constraints on selection process for equipment and services in most organizations, specifically in selection of service vendors or products from manufacturers/suppliers. These constraints may eliminate a technology from choices of possibilities.

17 CC3020N Fundamentals of Security Management Slide 17 Organizational Feasibility Considerations Policies require time to develop; new technologies require time to be installed, configured, and tested. Employees need training on new policies and technology, and how new IS program affects their working lives. Changes should be transparent to system users, unless the new technology intended to change procedures (e.g., requiring additional authentication or verification).

18 CC3020N Fundamentals of Security Management Slide 18 Training and Indoctrination Considerations Organization size and normal conduct of business may preclude a single large training program on new security procedures/ technologies. Where necessary, organization should conduct phased-in or pilot approach to implementation.

19 CC3020N Fundamentals of Security Management Slide 19 Project Scope Considerations In the case of information security, project plans should not attempt to implement entire security system at one time. Project Scope concerns boundaries of time and effort-hours needed to deliver planned features and quality level of project deliverables.

20 CC3020N Fundamentals of Security Management Slide 20 Supervising Project Implementation Up to each organization to find most suitable leadership for a successful project implementation Some organizations may designate champion from general management community of interest to supervise implementation of information security project plan. An alternative is to designate senior IT manager to lead implementation. Optimal solution is to designate a suitable person from information security community of interest.

21 CC3020N Fundamentals of Security Management Slide 21 Executing the Plan Once a project is underway, it is managed using a process known as a negative feedback loop or cybernetic loop.

22 CC3020N Fundamentals of Security Management Slide 22 Project Wrap-up The goal of wrap-up is to resolve any pending issues, critique overall project effort, and draw conclusions about how to improve process. Project wrap-up is usually handled as procedural task and assigned to mid-level IT or information security manager. Collect documentation, finalize status reports, and deliver final report and presentation at wrap-up meeting.

23 CC3020N Fundamentals of Security Management Slide 23 Dealing with Change The prospect of change can cause employees to be unconsciously or consciously resistant. By understanding and applying change management, you can lower the resistance to change, and even build resilience for change. Steps can be taken to make an organization more responsive to change. Reducing resistance to change, 3 steps: –Communication is the first and most crucial step –Educate employees on exactly how the proposed changes will affect them, both individually and across the organization –Involvement means getting key representatives from user groups to serve as members of the process

24 CC3020N Fundamentals of Security Management Slide 24 Managing Organizational Change Developing a Culture that Supports Change –Ideal organization fosters resilience to change. –This resilience means that the organization has come to expect change as a necessary part of organizational culture, and embracing change is more productive than fighting it. –To develop such a culture, organization must successfully accomplish many projects that require change.

25 CC3020N Fundamentals of Security Management Slide 25 Project Management Tools There are many tools that support the management of the diverse resources in complex projects. Most project managers combine software tools that implement one or more of the main modeling approaches. Examples of project management tools: WBS (Work Breakdown Structure) PERT (Program Evaluation and Review Techniques) Gantt Chart

26 CC3020N Fundamentals of Security Management Slide 26 PERT - Program Evaluation and Review Technique PERT(one of the network diagrams), the most popular networking dependency diagramming techniques, was originally developed in the late 1950s It is possible to take a very complex operation and diagram it in PERT, if you can answer three key questions about each activity: –How long will this activity take? –What activity occurs immediately before this activity can take place? –What activity occurs immediately after this activity?

27 CC3020N Fundamentals of Security Management Slide 27 PERT - Program Evaluation and Review Technique (cont.) By determining the path through the various activities, you can determine the critical path As each possible path through the project is analyzed, the difference in time between the critical path and any other path is the slack time –An indication of how much time is available for starting a noncritical task without delaying the project as a whole Should a delay be introduced (due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path), the tasks with slack time are the logical candidates for delay

28 CC3020N Fundamentals of Security Management Slide 28 PERT Example

29 CC3020N Fundamentals of Security Management Slide 29 PERT Advantages –Makes planning large projects easier by facilitating the identification of pre- and post-activities. –Allows planning to determine the probability of meeting requirements. –Anticipates the impact of changes on the system. –Presents information in a straightforward format that both technical and nontechnical managers can understand and refer to in planning discussions. –Requires no formal training.

30 CC3020N Fundamentals of Security Management Slide 30 PERT Disadvantages –Diagrams can become awkward and cumbersome, especially in very large projects. –Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes. –Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations.

31 CC3020N Fundamentals of Security Management Slide 31 Gantt Chart Another popular project management tool is the bar or Gantt chart, developed in the early 1900s. The Gantt chart lists activities on the vertical axis of a bar chart, and provides a simple time line on the horizontal axis. Like network diagrams, Gantt charts are easy to understand, and thus easy to present to management. Gantt charts are even easier to design and implement than the PERT diagrams, and present much of the same information.

32 CC3020N Fundamentals of Security Management Slide 32 Project Gantt Chart Example

33 CC3020N Fundamentals of Security Management Information Security Maintenance Organization should avoid overconfidence after implementation of improved information security system. Organizational changes that may occur include: new assets acquired; new vulnerabilities emerge; business priorities shift; partnerships form or dissolve; organizational divestiture and acquisition; employee hire and turnover. Maintenance model must be adopted to manage and operate ongoing security program.

34 CC3020N Fundamentals of Security Management Slide 34 The Maintenance Model Designed to focus organizational effort on maintaining systems. Recommended maintenance model based on five subject areas External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review

35 CC3020N Fundamentals of Security Management Slide 35 The Maintenance Model

36 CC3020N Fundamentals of Security Management Slide 36 External Monitoring

37 CC3020N Fundamentals of Security Management Slide 37 Internal Monitoring

38 CC3020N Fundamentals of Security Management Slide 38 Planning and Risk Assessment

39 CC3020N Fundamentals of Security Management Slide 39 Vulnerability Assessment and Remediation

40 CC3020N Fundamentals of Security Management Slide 40 Readiness and Review

41 CC3020N Fundamentals of Security Management Slide 41 Summary Moving from security blueprint to project plan Organizational considerations addressed by project plan Applying project management to information security Project management tools Maintenance of information security program

Download ppt "CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 8 Information Security Implementation & Maintenance."

Similar presentations

Project management.

Project management.
Principles of Information Security, 2nd Edition2 Learning Objectives Upon completion of this material, you should be able to: Understand how an organizations.

Principles of Information Security, 2nd Edition2 Learning Objectives Upon completion of this material, you should be able to: Understand how an organizations.
Project Management Concepts

Project Management Concepts
Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
Chapter 2 The Analyst As Project Manager In Managing Information Systems 2.3.

Chapter 2 The Analyst As Project Manager In Managing Information Systems 2.3.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 3.1.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 3.1.
Systems Analysis and Design 9th Edition

Systems Analysis and Design 9th Edition
Systems Analysis and Design 8 th Edition Chapter 3 Managing Systems Projects.

Systems Analysis and Design 8 th Edition Chapter 3 Managing Systems Projects.
Project What is a project A temporary endeavor undertaken to create a unique product, service or result.

Project What is a project A temporary endeavor undertaken to create a unique product, service or result.
Systems Analysis and Design 8th Edition

Systems Analysis and Design 8th Edition
I find that the harder I work, the more luck I seem to have.

I find that the harder I work, the more luck I seem to have.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 Project management.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 Project management.
Chapter 3 Managing the Information Systems Project

Chapter 3 Managing the Information Systems Project
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 4 Slide 1 COMP201 Project Management.

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 4 Slide 1 COMP201 Project Management.
Systems Analysis and Design Kendall and Kendall Fifth Edition

Systems Analysis and Design Kendall and Kendall Fifth Edition
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 5 Slide 1 Project management.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 5 Slide 1 Project management.
Implementing information Security

Implementing information Security
© 2008 by Prentice Hall 1 Chapter 2. © 2008 by Prentice Hall 2 Project – a planned undertaking of related activities to reach an objective that has a.

© 2008 by Prentice Hall 1 Chapter 2. © 2008 by Prentice Hall 2 Project – a planned undertaking of related activities to reach an objective that has a.
Creator: ACSession No: 10 Slide No: 1Reviewer: SS CSE300Advanced Software EngineeringDecember 2005 Project Management CSE300 Advanced Software Engineering.

Creator: ACSession No: 10 Slide No: 1Reviewer: SS CSE300Advanced Software EngineeringDecember 2005 Project Management CSE300 Advanced Software Engineering.
1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &

1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &

Similar presentations

Ads by Google