Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management."— Presentation transcript:

1 Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management

2 Stephen S. Yau 2CSE 465-591, Fall 2006 Why Need IA Management? IA is an integral part of sound management IA is an integral part of sound management Many managers tend to overlook or ignore IA since it is not directly related to their revenue in terms of selling products (services) Many managers tend to overlook or ignore IA since it is not directly related to their revenue in terms of selling products (services) Two basic factors matter when you can compete with your competitors: Two basic factors matter when you can compete with your competitors: Value of your products (services) to customers Value of your products (services) to customers Cost of making them Cost of making them

3 Stephen S. Yau 3CSE 465-591, Fall 2006 Why Need IA Management (cont.) IA is not an end in itself, but it does provide a critical service and support function for the organization IA is not an end in itself, but it does provide a critical service and support function for the organization Try to minimize cost due to information lost/misused Try to minimize cost due to information lost/misused -- as important as to come up with some brilliant ideas in product design IA management staff needs to persuade senior managers that IA “magic” comes with a price tag, but if handled properly, there is certainly a return IA management staff needs to persuade senior managers that IA “magic” comes with a price tag, but if handled properly, there is certainly a return Outsourcing is more and more popular, but needs to be carried out carefully since it may bring in more threats and vulnerabilities Outsourcing is more and more popular, but needs to be carried out carefully since it may bring in more threats and vulnerabilities

4 Stephen S. Yau 4CSE 465-591, Fall 2006 IA Management Personnel Information Systems Security Officer (ISSO) Information Systems Security Officer (ISSO) Responsible to designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and disposal stages. Responsible to designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and disposal stages. Operation Security (OPSEC) Manager Operation Security (OPSEC) Manager Responsible to ISSO who prevents information from being available to potential adversaries about the organization’s capabilities and/or intentions Responsible to ISSO who prevents information from being available to potential adversaries about the organization’s capabilities and/or intentions System Manager System Manager Responsible for proper operations and management of classified and unclassified Automated Information System (AIS). Responsible for proper operations and management of classified and unclassified Automated Information System (AIS). Supervises system staff in implementing AIS security policies, and provides advice and support to ISSO on AIS security issues. Supervises system staff in implementing AIS security policies, and provides advice and support to ISSO on AIS security issues.

5 Stephen S. Yau 5CSE 465-591, Fall 2006 IA Management Personnel (cont.) Program or Functional Manager Program or Functional Manager Responsible for determining, in a coordinated effort with system manager, which users have a verified need to access their applications. Responsible for determining, in a coordinated effort with system manager, which users have a verified need to access their applications. Responsible for informing ISSO of any security incidents related to the application or the users of the application. Responsible for informing ISSO of any security incidents related to the application or the users of the application. Communication Security (COMSEC) Custodian Communication Security (COMSEC) Custodian Responsible for the receipt, transfer, accounting, safeguarding and destruction of COMSEC material assigned to a COMSEC account. Responsible for the receipt, transfer, accounting, safeguarding and destruction of COMSEC material assigned to a COMSEC account. Telecommunications Officer Telecommunications Officer Responsible for receipt, transfer, accounting, safeguarding telecommunication processes in organization Responsible for receipt, transfer, accounting, safeguarding telecommunication processes in organization

6 Stephen S. Yau 6CSE 465-591, Fall 2006 Challenges for IA Management Increasing complexity of systems, networks, and interconnectivity Increasing complexity of systems, networks, and interconnectivity Profound reliance on information and information systems Profound reliance on information and information systems Ever-changing internal and external threats Ever-changing internal and external threats Competing demands Competing demands Unavailable resources Unavailable resources Decreasing assets Decreasing assets Lack of experience Lack of experience Lack of available training Lack of available training Lukewarm support from management Lukewarm support from management

7 Stephen S. Yau 7CSE 465-591, Fall 2006 IA Management Tasks IA managers and staff responsible for IA managers and staff responsible for Managing resources: Security business is dynamic, IA manager must effectively use time and manpower Managing resources: Security business is dynamic, IA manager must effectively use time and manpower Coordination: Communication is critical for IA manager to successfully manage an IA program. IA manager must be effective communicator to facilitate coordination among various offices, departments and personnel within organization Coordination: Communication is critical for IA manager to successfully manage an IA program. IA manager must be effective communicator to facilitate coordination among various offices, departments and personnel within organization Budgeting: Ideally, IA manager will have a line item within organization’s annual budget in order to plan and execute IA program Budgeting: Ideally, IA manager will have a line item within organization’s annual budget in order to plan and execute IA program Outsourcing is more and more popular, but need to be evaluated carefully before making any decision. Outsourcing is more and more popular, but need to be evaluated carefully before making any decision.

8 Stephen S. Yau 8CSE 465-591, Fall 2006 IA Management Tasks (cont.) Selling the need: Senior management often views IA as overhead expense. IA manager needs to convey the idea “security comes with a price tag” and sell senior managers on the merits of any resources invested in IA Selling the need: Senior management often views IA as overhead expense. IA manager needs to convey the idea “security comes with a price tag” and sell senior managers on the merits of any resources invested in IA Dispensing technical guidance: A written regulation or directive or policy can ensure consistency between process and standard operating procedure it implements Dispensing technical guidance: A written regulation or directive or policy can ensure consistency between process and standard operating procedure it implements Dealing with legal issues: IA manager should be familiar with applicable legal issues in order to know when it is appropriate and necessary to contact a law enforcement agency in the event of security incident. Dealing with legal issues: IA manager should be familiar with applicable legal issues in order to know when it is appropriate and necessary to contact a law enforcement agency in the event of security incident.

9 Stephen S. Yau 9CSE 465-591, Fall 2006 Life-cycle Management IA is involved in each stage of the system’s life-cycle: IA is involved in each stage of the system’s life-cycle: Initiation: To determine how a required operational function can be accomplished in a secure manner Initiation: To determine how a required operational function can be accomplished in a secure manner Definition: The function of the system will determine the security requirements Definition: The function of the system will determine the security requirements Design: Security requirements, including risk, cost, operations, must be integrated in the system design Design: Security requirements, including risk, cost, operations, must be integrated in the system design Acquisition: IA manager must ensure only reliable sources are used for software procurement Acquisition: IA manager must ensure only reliable sources are used for software procurement Development: Security controls are built into the system Development: Security controls are built into the system

10 Stephen S. Yau 10CSE 465-591, Fall 2006 Life-cycle Management (cont.) Implementation: Following tasks need to be done: Implementation: Following tasks need to be done: Risk Management Risk Management C&A process: Certification and Accreditation C&A process: Certification and Accreditation Approval to operate (ATO): Upon successful security evaluation of the system, IA manager recommends to the appropriate designated accreditation authority (DAA) that ATO or Interim approval to operate (IATO) should be granted. IATO is a temporary approval pending an accreditation decision. Approval to operate (ATO): Upon successful security evaluation of the system, IA manager recommends to the appropriate designated accreditation authority (DAA) that ATO or Interim approval to operate (IATO) should be granted. IATO is a temporary approval pending an accreditation decision. Operation and Maintenance: Once the system has been turned on for operation, security of the system must be scrutinized to verify that it continues to meet requirements Operation and Maintenance: Once the system has been turned on for operation, security of the system must be scrutinized to verify that it continues to meet requirements Destruction and Disposal: IA manager must ensure that information processed and stored in the system is not inadvertently compromised because of improper destruction and disposal. Destruction and Disposal: IA manager must ensure that information processed and stored in the system is not inadvertently compromised because of improper destruction and disposal.

11 Stephen S. Yau 11CSE 465-591, Fall 2006 Security Review and Testing Security review and testing should be conducted throughout the system life-cycle: Incident, threat, and vulnerability data collection and review Testing of infrastructure, externally and internally Baseline establishments for future review

12 Stephen S. Yau 12CSE 465-591, Fall 2006 Security Review and Testing (cont.) Common steps: Review policies Develop security matrix summarizing threats and protected assets Review security documentation Review audit capability and use Review security patches and updates Run analysis tools Correlate all information Develop report Make recommendation to correct problems

13 Stephen S. Yau 13CSE 465-591, Fall 2006 Identify Weaknesses in a System Vulnerability scanning: Scan for unused ports, uncontrolled, unauthorized software Discovery scanning: Inventory and classification about information on OS and available ports, identify running applications to determine device function Workstation scanning: Make sure standard software configuration is current with latest security patches, locate uncontrolled or unauthorized software Server scanning: Make sure the software stored on server are updated with latest security patches, locate uncontrolled or unauthorized software Port scanning: Scan various active ports used for communication (TCP/UDP) Stealth scans: also called spoofed scans

14 Stephen S. Yau 14CSE 465-591, Fall 2006 Identify Weaknesses in a System (cont.) Issues with vulnerability testing False positives: legitimate software using ports registered to other software Heavy traffic: adverse affect on WAN links, even disable slow links False negatives: exhaust resources on scanning machine, not properly identifying vulnerabilities System crash Unregistered port numbers: port numbers in use are not registered, unable to identify those software

15 Stephen S. Yau 15CSE 465-591, Fall 2006 Security Awareness and Education Understand how actions can greatly affect overall security position of the organization Computer security awareness and education enhance security through the following: Make users aware of their security responsibilities and teaching them correct practices, help change behaviour Develop skills and knowledge Build in-depth knowledge to design, implement, or operate security programs

16 Stephen S. Yau 16CSE 465-591, Fall 2006 Security Awareness & Education (cont.) Often overlooked by proactive or reactive administration of security practices Effective program requires proper planning, implementation, maintenance, and periodic evaluation. Identify program scope, goals, and objectives Identify training staff Identify target audience Motivate management and employees Administer the program Maintain the program Evaluate the program

17 Stephen S. Yau 17CSE 465-591, Fall 2006 Methods to Promote Awareness Management commitment necessary Integrating awareness Periodic awareness sessions to orient new employees and refresh senior employees which are direct, simple and clear Live/interactive presentations thorough lectures, videos Publishing/distribution posters, company newsletters Incentives: awards and recognition for security-related achievement Reminders

18 Stephen S. Yau 18CSE 465-591, Fall 2006 Training Training is different from awareness which is often held in specific classroom or through one-on-one training InfoSec example: Security-related job training for operators and specific users Awareness training for specific departments or personnel groups with security-sensitive positions Technical security training for IT support personnel and system administrators Advanced InfoSec training for security practitioners and AIS auditors Security training for senior managers, functional managers

19 Stephen S. Yau 19CSE 465-591, Fall 2006 Summary IA Management within an organization should: IA Management within an organization should: Ensure that security is planned and developed into any prospective new system Ensure that security is planned and developed into any prospective new system Certify that security features are performing properly before allowing the system to operate Certify that security features are performing properly before allowing the system to operate Approve and track configuration changes to IA baseline, verifying that changes do not affect the terms of the system’s accreditation. Approve and track configuration changes to IA baseline, verifying that changes do not affect the terms of the system’s accreditation. Assess the status of security features and system vulnerabilities through manual and automated reviews Assess the status of security features and system vulnerabilities through manual and automated reviews Destroy and dispose of hardcopy printouts and nonvolatile storage media in a way that eliminates possible compromise of sensitive or classified data Destroy and dispose of hardcopy printouts and nonvolatile storage media in a way that eliminates possible compromise of sensitive or classified data

20 Stephen S. Yau 20CSE 465-591, Fall 2006 Summary (cont.) Keep system documentation current, reflecting patches, version upgrades, and other baseline changes Keep system documentation current, reflecting patches, version upgrades, and other baseline changes Track hardware and software changes through a process that ensures changes are approved and tested before installation and operation; ensure that IA manager or representative is part of approval process Track hardware and software changes through a process that ensures changes are approved and tested before installation and operation; ensure that IA manager or representative is part of approval process Control privileges and authority for modifying software. Control privileges and authority for modifying software.

21 Stephen S. Yau 21CSE 465-591, Fall 2006 References J. G. Boyce, D. W. Jennings, Information Assurance: Managing Organizational IT Security Risks. Butterworth Heineman, 2002, ISBN 0- 7506-7327-3 J. G. Boyce, D. W. Jennings, Information Assurance: Managing Organizational IT Security Risks. Butterworth Heineman, 2002, ISBN 0- 7506-7327-3

Download ppt "Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Auditing Concepts.

Auditing Concepts.
Auditing Computer Systems

Auditing Computer Systems
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Information Systems Security Officer

Information Systems Security Officer
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google