2. 1 Managing the Security Function Chapter 11

3. 2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing (emphasis on brief)  Corporate security policy statement: Vision, not details  Follow-through when security must be upheld in conflicts  Business champions to give support and business advice

4. 3 Figure 11-1: Organizational Issues Should You Place Security Within IT?  Pros Compatible technical skills Making the CIO responsible for security breaches gives accountability  Cons Difficult to blow the whistle on the IT staff Vendor preference differences with networking staff (e.g., Cisco vs Check Point)

5. 4 Figure 11-1: Organizational Issues Should You Place Security Within IT?  Locating security outside IT Can blow the whistle on IT actions If a staff group, can only give advice

6. 5 Figure 11-1: Organizational Issues Security and Auditing  IT Auditing has the skills to determine whether IT rules are enforced, but IT auditing does not set policy  Internal Auditing also can audit IT-related procedures, but it does not make policy

7. 6 Figure 11-1: Organizational Issues Managed Security Service Providers (Figure 11-2)  On-site logging, off-site analysis  Practice-based expertise Get plenty of experience on a daily basis— like fire departments  Separation of responsibilities: Can blow whistle on IT, even the CIO

8. 7 Figure 11-1: Organizational Issues Managed Security Service Providers (Figure 11-2)  What to Outsource? Typically, intrusion detection and vulnerability assessment Rarely policy and other control practices Not commonly antivirus protection and other aspects of security, but MSSPs are expanding

9. 8 Figure 11-1: Organizational Issues Managed Security Service Providers (Figure 11-2)  Evaluating the MSSP Diligence: Is it really reading the logs? (Contracts often are vague) Skills and background of testers

10. 9 Figure 11-1: Organizational Issues Security and Business Staffs  Cannot Just Lob Policies Over the Wall Security and Business Partners  Your Business Partner’s Security Affects You Uniformed Security Personnel  They are often called first by suspicious users  They support investigations

11. 10 Figure 11-1: Organizational Issues Staffing and Training  Hiring staff: Expertise  Training is necessary because few people on the market are security experts  Certifications are good but vary in what they require and do not make up for lack of experience  Background checks should be done on the security staff

12. 11 Figure 11-1: Organizational Issues Staffing and Training  All workers involved in IT should have background checks, including the maintenance staff, consultants, and contractors  Should you hire a hacker? They are likely to have the knowledge you need But would you be afraid to fire or lay off one?

13. 12 Figure 11-2: Managed Security Service Provider (MSSP) Firm MSSP MSSP Logging Server Log File Security Manager 2. Encrypted & Compressed Log Data 3. Analysis 5. Vulnerability Test 4. Small Number of Alerts