Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the Management of Information Security

Published byThomasine Joleen Pierce Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to the Management of Information Security"— Presentation transcript:

1 Introduction to the Management of Information Security
Dan Hein, Dinesh Raveendran, Molly Coplen Feb 3, 2008

2 Organization Overview of Information Security Defining Security
Information Security Management The Six P’s of Information Security 11/8/2018

3 Information Security Risk Analysis is an essential central activity required to secure information assets Information asset enumeration, Threat enumeration, Threat potential and impact and/or damage Risk Analysis provides rationale (cost justification) for sound business decisions and cross-cuts several communities: Information Security Community Information Technology Community General Business Community 11/8/2018

4 What is Security The quality or state of being secure – to be free from danger. Example: National Security Multiple types of security specialization: Physical – Protection of people, physical assets, and workplace Operations – Carrying of the operational activities without interruption or compromise Communications- Protection of communication media, technology and content Network – Protection of networking devices, connections and content 11/8/2018

5 Information Security Information Security (InfoSec) encompasses
Management of information security Computer & data security Network Security Information Security Management of InfoSec Network Security Policy Computer & Data Security 11/8/2018

6 NSTISSC* Security Model
A CNSS model known as McCumber Cube Purpose: Identify gaps in information security program Weakness: Addresses only InfoSec Community and leaves out business and broader IT community *-National SecurityTelecommunications and Information Systems Security Committee Confidentiality Integrity Availability Policy Education Technology Storage Processing Transmission 11/8/2018

7 Key Concepts of InfoSec
C.I.A Triangle – Basis for CNSS model for InfoSec Three essential characteristics Confidentiality, integrity and availability Limited in scope Difficult to encompass changing environment Threats – Accidental or intentional damage, destruction, theft, unintended or unauthorized modification, other human misuses or other threats Development of a robust model for current IS environment and rapidly changing IT industry with a comprehensive list of critical characteristics 11/8/2018

8 Key Concepts continued…
Confidentiality Only those with sufficient privileges and demonstrated need may access certain information Measures to protect it - Information classification, Secure document storage, Application of general security policies, Education of information custodians and end users and Cryptography Examples: Mailing confidential information outside the organization, Hacker breaking in to an internal database 11/8/2018

9 Key Concepts continued…
Integrity The quality or state of being whole, complete, and uncorrupted Corruption can occur while information is being entered, stored, or transmitted Viruses, worms and even faulty programming can corrupt data Detection: check file’s state, or file’s hash value or checksum Prevention: redundancy bits and check bits, file hashing 11/8/2018

10 Key Concepts continued…
Availability Characteristic of information that enables user access to information without interference in a useable format Access to only authorized users Analogy: Library Access Privacy Information that is collected, used and stored by an organization is intended only for the purposes stated to the data owner at the time it was collected Collect, swap and sell personal information Data used without original owner’s consent 11/8/2018

11 Key Concepts continued…
Identification Ability to recognize individual users for an IS First step in gaining access to secured data Foundation to authentication and authorization Performed with username and/or password Authentication When a control provides proof that a user possesses the identity that he/she claims. Examples: use of cryptographic certificates to establish SSL 11/8/2018

12 Key Concepts continued…
Authorization After authentication, this process provides the assurance that the user has been specifically and explicitly authorized by the proper authority Example: activation and use of ACLs Accountability When a control provides assurance that every activity undertaken can be attributed to a person or a process Example: Audit logs 11/8/2018

13 What is Management? Management is the process of achieving objectives given a set of resources. A manager is a member of the organization assigned to marshal and administer resources, coordinate the completion of tasks, and handle the many roles necessary to meet the desired objectives. 11/8/2018 11/8/2018 13 13

14 Management Theories Frederick Winslow Taylor (1900s)
Wandered around factories with a stopwatch and a clipboard to measure worker productivity. Management’s job is to improve productivity by refining the processes workers perform. Douglas McGregor - Theory X and Theory Y (1960) Theory X: Classic command and control – “Carrot-and-the-stick” - workers are basically lazy. Theory Y: People exercise self-direction and self control in the achievement of organizational objectives. Carrots induce people to stay. 11/8/2018 11/8/2018 14 14

15 Management Theories W. Edwards Deming – Total Quality Management (1980s) Stressed quality and customer focus in internal operations Decision making, performance measurement, and compensation Vertical integration Business Process Re-engineering (1990s) Reorganize the business around processes such as purchasing, marketing, and distribution instead of corporate silos based on products and geography. 11/8/2018 11/8/2018 15 15

16 Leadership versus Management
Influences employees so that they are willing to accomplish objectives. Leadership provides purpose, direction, and motivation to those who follow. Managers Administers resources of the organization: Create budgets Authorize expenditures Hire employees 11/8/2018 11/8/2018 16 16

17 Key Characteristic of a Leader
A key characteristic of a leader is concern for subordinates as well as strong motivation for accomplishing organizational objectives. Exhibit principles of be..know..and do. As a leader you must be a person of strong and honorable character, be committed to professional ethics, be an example of individual values, and be able to resolve complex ethical dilemmas. You must know the details of your situation, the standards to which you work, yourself, human nature, and your team. You must do by providing purpose, direction, and motivation to your teams. 11/8/2018 11/8/2018 17 17

18 Characteristics of a Leader US Military Model
Bearing Courage Decisiveness Dependability Endurance Enthusiasm Initiative Integrity Judgment Justice Knowledge Loyalty Tact Unselfishness 11/8/2018 11/8/2018 18 18

19 Improvement of Leadership Abilities
Know yourself and seek self improvement Be technically and tactically proficient See responsibility and take responsibility for your actions Make sound and timely decisions Set the example Know your subordinates and look out for their well-being Keep your subordinates informed Develop a sense of responsibility in your subordinates Ensure the task is understood, supervised, and accomplished Build the team Employ your team in accordance with its capabilities 11/8/2018 11/8/2018 19 19

20 Behavioral Types of Leaders
Autocratic Reserves all decision-making responsibility for themselves, and are more “do as I say” types of managers. Issues an order to accomplish a task and does not seek or accept alternative viewpoints. Democratic Seeks input from all interested parties, requesting ideas and suggestions, and then formulating a position that can be supported by a majority. Laissez-faire Allows the process to develop as it goes, only making minimal decisions to avoid bringing the process to a complete halt. 11/8/2018 11/8/2018 20 20

21 The Planning-Controlling Link
Goals, Objectives, Strategies, Plans Controlling Standards, Measurements, Comparisons, Action Organizing Structure, Human Resource Management Leading Motivation, Leadership, Communication, Behavior 11/8/2018 11/8/2018 21 21

22 Planning Strategic Tactical Operational
Highest level of the organization – Board of Directors, Executive Management Time horizon – five or more years Tactical Mid-level managers – implementation of the strategic plan Time horizon – one to five years Operational Supervisors - Day-to-day operations of local resources Time horizon - immediate 11/8/2018 11/8/2018 22 22

23 Organizing “The principle of management dedicated to the structuring of resources to support the accomplishments of objectives.” Organizing tasks: What is to be done and in what order Who is doing the work How is the work being accomplished When - timeline 11/8/2018 11/8/2018 23 23

24 Leadership and Motivation
Peter Drucker A responsible manager has authority. Workers are led, not managed. The workplace is participatory, but not “free-wheeling.” Workers are not motivated through money alone. Each worker is motivated differently, according to the individual and the situation. Management recognizes that workers could leave the organization. 11/8/2018 11/8/2018 24 24

25 What Motivates Workers
Work with people who treat me with respect Interesting work Recognition Opportunity to develop skills Work for people who will listen to you Ability to think for self, not just carry out instructions Seeing the end results of my work Work for efficient managers Job security High pay Good benefits 11/8/2018 11/8/2018 25 25

26 Controlling This function determines what is monitored, the tools to gather and evaluate information, and the corrective action. Four categories of control tools: Information – flow of information in the organization Financial – guide the expenditure of monetary resources. Operational – evaluate the efficiency and effectiveness of business process flows. Behavioral – evaluate the efficiency and effectiveness of human resources. 11/8/2018 11/8/2018 26 26

27 Control Process Standard Attained? Continue Process
Yes Continue Process Compare Actual vs Standard No Variance Accepted? Yes Continue Process Actual Performance Performance Standard No Yes Standard Acceptable? Identify cause of variation No Revise Standard Correct Performance 11/8/2018 11/8/2018 27 27

28 Solving Problems Step 1: Recognize and Define the Problem
How do I know that I have a problem ? What is the real cause of the problem ? Step 2: Gather Facts and Make Assumptions Interview, collect data, review documentation Step 3: Develop Possible Solutions Brian storm, interview experts, review research Step 4: Analyze and Compare Possible Solution Financial impact, cost-benefit analysis, operation impact Unintended consequences ?? Step 5: Select, Implement, and Evaluate a Solution Monitor the solution – intended impact? 11/8/2018 11/8/2018 28 28

29 Six Principles of Information Security
Planning - Draw upon larger business / IT plans to develop InfoSec plans that support business goals and objectives. Policy – Organizational document(s) specifying acceptable and unacceptable use, actions constituting abuse, and punishments for violators [Panko03] . Programs – Ongoing operational activities to support goals of information security: Education, Training, Drills, and onsite physical access. 11/8/2018

30 Six Principles continued…
Protection – Ongoing risk management identifies information assets, enumerates threats, and performs risk reduction or transference. People – Training people within an organization is critical for maintaining proper information security; some of the simplest attacks are social-engineering attacks. Project Management – Continuously monitoring and measuring progress towards InfoSec goals/objectives and making corrective action when needed. 11/8/2018

31 Questions ? 11/8/2018

32 Bibliography Anonymous, “The Way We Were,” Management Today, London: June 1998, pp Anonymous, “TGM-A Cornerstone of Quality”, Quality Progress. Milwaukee: November 2006, Vol. 39, Iss. 11; pp William A. Cohen, A Class with Drucker, New York: AMACOM, 2008 W.E. Deming, Out of the Crisis, MIT Press, 1982 Richard J. Hackman and Ruth Wageman, “Total Quality Management: Empirical, Conceptual, and Practical Issues,” Administrative Science Quarterly, Ithaca: June 1995, Vol. 40, Iss 2; pp Raymond R. Panko, Corporate Computer and Network Security. New Jersey: Prentice Hall, pp Michael E. Whitman and Herbert J. Mattord, Management of Information Security, Thompson Course Technology, pp 1-20. “Survey: The X and Y Factors,” The Economist, London: January 21, Vol. 378, Iss. 8461, pg 19. 11/8/2018 11/8/2018 32 32

Download ppt "Introduction to the Management of Information Security"

Similar presentations

Management, Leadership, & Internal Organization………..

Management, Leadership, & Internal Organization………..
Teambuilding Block - Seminar 3.4 CAP Corporate Learning Course

Teambuilding Block - Seminar 3.4 CAP Corporate Learning Course
Leader and Manager, & Why We Need to Be Both Jim McGraw, RN, MN Tarrant County College.

Leader and Manager, & Why We Need to Be Both Jim McGraw, RN, MN Tarrant County College.
7 Chapter Management, Leadership, and the Internal Organization http://www.wileybusinessupdates.com.

7 Chapter Management, Leadership, and the Internal Organization
If this is the information superhighway, it’s

If this is the information superhighway, it’s
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Introduction Information technology is critical to business and society Computer security is evolving into information security Information security is.

Introduction Information technology is critical to business and society Computer security is evolving into information security Information security is.
ETHICS & Information Security Issues

ETHICS & Information Security Issues
PANHA CHIET UNIVERSITY Course: Principle of Management Introduced By: YORN SOMETH, MBA Summary my Background rbs Graduated: BBA from National University.

PANHA CHIET UNIVERSITY Course: Principle of Management Introduced By: YORN SOMETH, MBA Summary my Background rbs Graduated: BBA from National University.
110/6/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by.

110/6/20151 Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by.
1–1 Chapter 1 INTRODUCTION TO MANAGEMENT AND ORGANIZATIONS © Prentice Hall, 2002.

1–1 Chapter 1 INTRODUCTION TO MANAGEMENT AND ORGANIZATIONS © Prentice Hall, 2002.
Management of Information Security Chapter 1: Introduction to the Management of Information Security If this is the information superhighway, it’s going.

Management of Information Security Chapter 1: Introduction to the Management of Information Security If this is the information superhighway, it’s going.
Introduction to Management

Introduction to Management
Chapter 8 Management, Leadership, and Internal Organization Learning Goals Define management and the skills necessary for managerial success. Explain the.

Chapter 8 Management, Leadership, and Internal Organization Learning Goals Define management and the skills necessary for managerial success. Explain the.
Principles and Leadership

Principles and Leadership
Elementary School Administration and Management GADS 671 Section 55 and 56.

Elementary School Administration and Management GADS 671 Section 55 and 56.
MultiMedia by Stephen M. Peters© 2002 South-Western Leadership.

MultiMedia by Stephen M. Peters© 2002 South-Western Leadership.
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
Welcome to MT140 Introduction to Management Unit 10 Seminar Reflection.

Welcome to MT140 Introduction to Management Unit 10 Seminar Reflection.

Similar presentations

Ads by Google