Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.

Published byAlice Gaines Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2."— Presentation transcript:

1 Lecture 30 Information Security (Cont’d)

2 Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2

3 Organizational Structure Organization of and official responsibilities for security vary – BoD, CEO, BoD Committee – Director, Manager IT/IS Security Audit 3

4 Typical Org Chart 4 Board of Directors/TrusteesPresident CIO Security Director Project Security Architect Enterprise Security Architect Security AnalystSystem Auditor

5 Security-Oriented Org Chart 5 Board of Directors/TrusteesPresident CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager

6 Further Separation 6 Audit Committee Board of Directors/TrusteesPresident CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager Internal Audit

7 Organizational Structure Audit should be separate from implementation and operations – Independence is not compromised Responsibilities for security should be defined in job descriptions Senior management has ultimate responsibility for security Security officers/managers have functional responsibility 7

8 Roles and Responsibilities Best Practices: – Least Privilege – Mandatory Vacations – Job Rotation – Separation of Duties 8

9 Roles and Responsibilities Owners – Determine security requirements Custodians – Manage security based on requirements Users – Access as allowed by security requirements 9

10 Information Classification Not all information has the same value Need to evaluate value based on CIA Value determines protection level Protection levels determine procedures Labeling informs users on handling 10

11 Information Classification Government classifications: – Top Secret – Secret – Confidential – Sensitive but Unclassified – Unclassified 11

12 Information Classification Private Sector classifications: – Confidential – Private – Sensitive – Public 12

13 Information Classification Criteria: – Value – Age – Useful Life – Personal Association 13

14 Risk Management Risk Management is identifying, evaluating, and mitigating risk to an organization – It’s a cyclical, continuous process – Need to know what you have – Need to know what threats are likely – Need to know how and how well it is protected – Need to know where the gaps are 14

15 Identification Assets Threats – Threat-sources: man-made, natural Vulnerabilities – Weakness Controls – Safeguard 15

Download ppt "Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2."

Similar presentations

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Security Controls – What Works

Security Controls – What Works
ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.

Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Information Systems Security Officer

Information Systems Security Officer
Risk Management.

Risk Management.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Information Technology Audit

Information Technology Audit
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Auditing Information Systems (AIS)

Auditing Information Systems (AIS)

Similar presentations

Ads by Google