Chapter 5 Developing the Security

ProgramPresented by: Jennifer, Sergey & Kalagee

Slides by: Ryan

2

Outline

• Introduction

• Organizing for Security

• Information Security Placement

• Components of the Security Program

• Information Security Roles and Titles

• Security Education, Training, and Awareness

3

Introduction

• Security Program

– Entire set of personnel, plans, and policies related to Information Security

• Information Security

– Corporate or physical security

• Information Security Program

– Structured effort to contain risks to information assets

4

Organizing for Security

• Security Program Influences– Organizational culture– Company size and available resources– Security personnel and capital budget

5

Organization Sizes

• Small (10-100 computers)– 20% of IT budget

• Medium (100-1,000 computers)– 11% of IT budget

• Large (1,000-10,000 computers)– 5% of IT budget security

• Very Large (10,000+ computers)– 6% of IT budget

6

Information Security Functions

• Risk Assessment• Risk Management• Systems Testing• Policy• Legal Assessment• Incident Response• Planning• Vulnerability

Assessment

• Measurement• Compliance• Centralized

Authentication• Systems Security

Administration• Training• Network Security

Administration

7

Security Function Distribution• Non-technology business units

– Legal assessment and training• IT groups outside of information security

– Systems and network administration• Information security as customer service

– Planning, testing, risk assessment, incident response, vulnerability assessment

• Information security as compliance enforcement– Policy, compliance, and risk management

8

Large Org. Staffing

9

Very Large Org. Staffing

10

Medium Org. Staffing

11

Small Org. Staffing

12

Security Placement

• Openness to new ideas• Clout with top management• Respect in the eyes of a wide variety of

employees• Comfort and familiarity with information

security concepts• Willingness to defend the best interest of

the organization in the long run

13

Security Placement Locations• IT

• Security

• Administrative Services

• Insurance and Risk Management

• Strategy and Planning

• Legal

• Internal Audit

• Help Desk

• Accounting and Finance Through IT

• Human Resources

• Facilities Management

• Operations

14

IT

15

Security

16

Administrative Services

17

Insurance & Risk

18

Strategy & Planning

19

Legal

20

Other Options

• Internal Audit

• Help Desk

• Accounting and Finance Through IT

• Human Resources

• Facilities Management

• Operations

2121

Components of the Security Program

• InfoSec needs are unique to culture, size, and budget of organization

• Guided by mission and vision statements

• CIO and CISO use mission and vision statements to formulate InfoSec program mission statement

2222

Elements of a Security Program (NIST)

• Policy• Program management• Risk management• Life-cycle planning• Personnel and user issues• Contingency and disaster recovery

planning• Computer security incident handling

2323

Elements of a Security Program (NIST)

• Awareness and training

• Security considerations

• Physical and environmental security

• Identification and authentication

• Logical access control

• Audit trails

• Cryptography

2424

Information Security Roles and Titles

• Those that define– Provide policies, guidelines, and standards

• Those that build– Create and install security solutions

• Those that administer– Monitor and improve the security process

2525

Job Function Categories

• Chief Information Security Officer (CISO)• Security manager• Security administrator/analyst• Security technician• Security staffer• Security consultant• Security officer and investigator• Help desk personnel

2626

Chief Information Security Officer (CISO)

• Assessment, management, and implementation of the InfoSec program

• Other Titles– Manager for Security– Security Administrator

• Most cases reports to CIO

2727

Security Manager

• Oversee day-to-day operation of the InfoSec program– Scheduling– Setting priorities– Administering procedural tasks

• Report to CISO

• Some technical knowledge

2828

Security Administrator/Analyst

• Have both technical knowledge and managerial skill

• Manage day-to-day operation of the InfoSec program

• Assist in development and delivery of training programs and policies

2929

Security Technician

• Subject matter experts

• Implement security software

• Diagnose and troubleshoot problems

• Coordinate with administrators to ensure security is properly implemented

• Tend to be specialized

3030

Security Staffer

• Individuals who perform routine watch-standing activities– Intrusion detection consoles– Monitor email– Perform routine, yet critical, tasks

3131

Security Consultants

• Expert in some aspect of InfoSec– Disaster recovery– Business continuity planning– Policy development– Strategic planning

3232

Security Officers and Investigators

• Sometimes necessary to protect highly sensitive data from physical threats

• Three G’s of physical security– Guards– Gates– Guns

3333

Help Desk Personnel

• Enhances security team’s ability to identify potential problems

• Must be prepared to identify and diagnose problems– Traditional technical problems– Threats to information security

3434

Security Education, Training, and Awareness (SETA)

• Responsibility of CISO• Designed to reduce accidental security

breaches• Can improve employee behavior• Inform members of the organization

about where to report violations of policy• Allows organizations to hold employees

accountable for their actions

3535

Purpose of SETA

• Enhance security– By building in-depth knowledge to design,

implement, or operate security programs for organizations and systems

– By developing skills and knowledge so that computer users can perform their jobs more securely

– By improving awareness of the need to protect system resources

3636

Security Education

• Information security training programs must address:– Information security educational

components– General education requirements

3737

Developing InfoSec Curricula

• InfoSec standards– ACM– IEEE– ABET

• No security curricula models

3838

Developing InfoSec Curricula

• Must carefully map expected learning outcomes

• Knowledge map– Helps potential students assess various

InfoSec programs– Identifies skills and knowledge clusters

obtained by program graduates

3939

InfoSec Knowledge Map

4040

Security Training

• Provides employees with hands-on training

• In-house or outsourced

• NIST provides free InfoSec training documents – NIST SP 800-16

4141

Security Training

• Customizing training by functional background– General user– Managerial user– Technical user

• Job category• Job function• Technology product

4242

Security Training

• Customizing training by skill level– Novice– Intermediate – Advanced

4343

Training for General Users

• Commonly during employee orientation

• Employees are educated on a wide variety of policies– Good security practices– Password management– Specialized access controls– Violation reporting

4444

Training for Managerial Users

• Similar to general training

• More personalized

• Small groups

• More interaction and discussion

4545

Training for Technical Users

• Developing advanced technical training– By job category– By job function– By technology product

46

Training Techniques

• Use correct teaching methods

• Take advantage of latest learning technology

• Use best practices

• On-site training is beneficial

47

Delivery Methods

• Delivery method choice is influenced by– Budget– Scheduling– Needs of organization

• Delivery methods– One-on-one– Formal Class– Computer-Based Training (CBT)

48

Delivery Methods (cont)

• Distance learning

• Web Seminars

• User Support Group

• On-Site Training

• Self-Study

49

Selecting Training Staff

• Local training program• Continuing education department• External training agency• Hire a professional trainer• Hire a consultant, or someone from an

accredited institution to conduct on-site training

• organize and conduct training in-house using its own employees.

50

Implementing Training

1. Identify program scope, goals and objectives

2. Identify training staff3. Identify target audiences4. Motivate management and employees5. Administer the program6. Maintain the program7. Evaluate the program

51

Security Awareness• Change organizational

culture to realize importance of InfoSec

• Users need to be reminded of the standards and procedures

• Gives employees sense of responsibility and importance

52

Security Awareness Program

• Focus on people• Don’t use technical jargon• Use every available medium• Defines a learning objective • Helps users understand their roles• Don’t overload users with too much information• Take advantage of in-house communication• Make the awareness program formal• Provide good information early

53

Employee Behavior and Awareness

• Educate employees on how to– Properly handle information– Use applications– Operate within the organization

• This minimizes risk of accidental compromise, damage, or destruction of information

54

Employee Accountability

• Effective training programs make employees accountable for their actions

• “Ignorance of the law excuses no one”

• A constant reminder of the consequences of abusing or misusing information resources can help protect the organization against lawsuits

55

Awareness Techniques

• Changes based on intended audience

• Security awareness program – can use many methods to deliver its

message– developed with the assumption that people

tend to practice a tuning out process– awareness techniques should be creative

and frequently changed

56

Developing Security Awareness Components

• Videos• Posters and banners• Lectures and

conferences• Computer-based

training• Newsletters• Brochures and flyers• Trinkets• Bulletin boards

57

Posters

58

Newsletters

• Cost-effective• Distributed via e-mails, hard-copy or

intranet• Consists of front page, index, volume,

contact information. • May contains articles, policies, how-to’s,

security events, upgrades, incidents, etc.

59

Trinket Program

• Most expensive• Gets attention

instantly• Mugs, calendars, t-

shirts, pens, holders, etc.

60

InfoSec Awareness Website

Tips– Don’t reinvent– Plan ahead– Minimal page loading time– Attractive look and feel – Always seek feedback– Test everything. Assume nothing– Promote the website

61

Conclusions

• Information security programs can be dramatically different for organizations of varying size but they all have the same goal– To secure information and information assets

• This is achieved by – Optimal placement of InfoSec within organization– Security, education, and awareness training

(SETA)

62

Questions?