Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Published byJeffry Jennings Modified over 6 years ago

Similar presentations

Presentation on theme: "MANAGEMENT of INFORMATION SECURITY, Fifth Edition"— Presentation transcript:

1 MANAGEMENT of INFORMATION SECURITY, Fifth Edition

2 Security Convergence and Security SDLC
Management of Information Security, 5th Edition © Cengage Learning

3 Security Convergence The convergence of security-related governance in organizations has been observed since the broad deployment of information systems began in the 1970s and 1980s Industry media have discussed the issues surrounding this merging of management accountability in the areas of corporate (physical) security, corporate risk management, computer security, network security, and InfoSec as such trends waxed and waned over the years Management of Information Security, 5th Edition © Cengage Learning

4 Security Convergence A 2007 report commissioned by the Alliance for Enterprise Security Risk Management identified the key approaches organizations are using to achieve unified enterprise risk management (ERM): Combining physical security and InfoSec under one leader as one business function Using separate business functions (each with a separate budget and autonomy) that report to a common senior executive Using a risk council approach to provide a collaborative method for risk management, to set policy about assuming risk to the organization A 2015 study of InfoSec management practices found that most larger organizations still keep physical and information security efforts segregate even with significant collaboration, while full integration is much more common in smaller organizations Management of Information Security, 5th Edition © Cengage Learning

5 Security Convergence by Organizational Size (# of employees)
Management of Information Security, 5th Edition © Cengage Learning

6 Planning For Information Security Implementation
The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans When the CISO reports directly to the CIO, the CIO charges the CISO and other IT department heads with creating and adopting plans that are consistent with and supportive of the IT strategy as it supports the entire organizational strategy It falls upon the CISO to go beyond the plans and efforts of the IT group to ensure that the InfoSec plan also directly supports the entire organization and the strategies of other business units, beyond the scope of the IT plan Management of Information Security, 5th Edition © Cengage Learning

7 Management of Information Security, 5th Edition © Cengage Learning
CISO Job Description Creates a strategic information security plan with a vision for the future of information security at Company X… Understands the fundamental business activities performed by Company X, and based on this understanding, suggests appropriate information security solutions that uniquely protect these activities… Develops action plans, schedules, budgets, status reports and other top management communications intended to improve the status of information security at Company X… Management of Information Security, 5th Edition © Cengage Learning

8 Management of Information Security, 5th Edition © Cengage Learning
Planning for InfoSec Once plan has been translated into IT and information security objectives and tactical and operational plans information security implementation can begin Implementation of information security can be accomplished in two ways: bottom-up or top-down Management of Information Security, 5th Edition © Cengage Learning

9 Approaches to InfoSec Implementation
Management of Information Security, 5th Edition © Cengage Learning

10 Introduction to the Security Systems Development Life Cycle (SecSDLC)
An SDLC is a methodology for the design and implementation of an information system SDLC-based projects may be initiated by events or planned At the end of each phase, a review occurs when reviewers determine if the project should be continued, discontinued, outsourced, or postponed Management of Information Security, 5th Edition © Cengage Learning

11 Introduction to the Security Systems Development Life Cycle (SecSDLC)
It may differ in several specifics, but the overall methodology is similar to the SDLC The SecSDLC process involves the identification of specific threats and the risks that they represent as well as the subsequent design and implementation of specific controls to counter those threats and manage the risk Management of Information Security, 5th Edition © Cengage Learning

12 SecSDLC Waterfall Methodology
Management of Information Security, 5th Edition © Cengage Learning

13 Investigation in the SecSDLC
Often begins as directive from management specifying the process, outcomes, and goals of the project and its budget Frequently begins with the affirmation or creation of security policies Teams assembled to analyze problems, define scope, specify goals and identify constraints A feasibility analysis determines whether the organization has the resources and commitment to conduct a successful security analysis and design Management of Information Security, 5th Edition © Cengage Learning

14 Analysis in the SecSDLC
A preliminary analysis of existing security policies or programs is prepared along with known threats and associated controls Includes an analysis of relevant legal issues that could affect the design of the security solution Risk management begins in this stage Management of Information Security, 5th Edition © Cengage Learning

15 Management of Information Security, 5th Edition © Cengage Learning
Design in the SecSDLC The design phase actually consists of two distinct phases: In the logical design phase, team members create and develop a blueprint for security, and examine and implement key policies In the physical design phase, team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design Management of Information Security, 5th Edition © Cengage Learning

16 Design in the SecSDLC The design phase continues with the formulation of the controls and safeguards used to protect information from attacks by threats. There are three categories of controls: Managerial controls cover security processes that are designed by the strategic planners and executed by the security administration of the organization Operational controls cover management functions and lower-level planning, such as disaster recovery and incident response planning (IRP), as well as address personnel security, physical security, and the protection of production inputs and outputs Technical controls address technical approaches used to implement security in the organization and must be selected, acquired (made or bought), and integrated into the organization’s IT structure Management of Information Security, 5th Edition © Cengage Learning

17 Implementation in the SecSDLC
The security solutions are acquired, tested, implemented, and tested again Personnel issues are evaluated and specific training and education programs conducted Perhaps the most important element of the implementation phase is the management of the project plan: planning the project supervising the tasks and action steps within the project wrapping up the project Management of Information Security, 5th Edition © Cengage Learning

18 Management of Information Security, 5th Edition © Cengage Learning
InfoSec Project Team Should consist individuals experienced in one or multiple technical and non-technical areas including: The champion The team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users Management of Information Security, 5th Edition © Cengage Learning

19 Staffing the InfoSec Function
Each organization should examine the options for staffing of the information security function: First, decide how to position and name the security function Second, plan for the proper staffing of the information security function Third, understand the impact of information security across every role in IT Finally, integrate solid information security concepts into the personnel management practices of the organization Management of Information Security, 5th Edition © Cengage Learning

20 InfoSec Professionals
It takes a wide range of professionals to support a diverse information security program: Chief Information Officer (CIO) Chief Security Officer (CSO) Chief Information Security Officer (CISO) Security Managers Security Technicians Data Owners Data Custodians Data Users Management of Information Security, 5th Edition © Cengage Learning

21 Maintenance in the SecSDLC
Once the information security program is implemented, it must be operated, properly managed, and kept up to date by means of established procedures If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again Management of Information Security, 5th Edition © Cengage Learning

22 Management of Information Security, 5th Edition © Cengage Learning
Maintenance Model While a systems management model is designed to manage and operate systems, a maintenance model is intended to focus organizational effort on system maintenance: External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review Vulnerability assessment Management of Information Security, 5th Edition © Cengage Learning

23 Management of Information Security, 5th Edition © Cengage Learning
Maintenance Model Management of Information Security, 5th Edition © Cengage Learning

Download ppt "MANAGEMENT of INFORMATION SECURITY, Fifth Edition"

Similar presentations

Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
Chapter 2.

Chapter 2.
Management of Information Security Chapter 2: Planning for Security

Management of Information Security Chapter 2: Planning for Security
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Introduction to Information Security Chapter 1

Introduction to Information Security Chapter 1
Introduction to Information Security

Introduction to Information Security
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
Implementing information Security

Implementing information Security
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
7.2 System Development Life Cycle (SDLC)

7.2 System Development Life Cycle (SDLC)
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Acquiring Information Systems and Applications

Acquiring Information Systems and Applications
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
SYSTEM ANALYSIS AND DESIGN

SYSTEM ANALYSIS AND DESIGN
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
NIST Special Publication Revision 1

NIST Special Publication Revision 1

Similar presentations

Ads by Google