if this is the information superhighway, it’s going through a lot of bad, bad neighborhoods

Management of Information SecurityManagement of Information Security

Chapter 1:Chapter 1: Introduction to the Introduction to the

Management ofManagement ofInformation SecurityInformation Security

If this is the information superhighway, If this is the information superhighway, it’sit’s

going through a lot of bad, bad going through a lot of bad, bad neighborhoods.neighborhoods.

-- -- DORIAN BERGER, 1997DORIAN BERGER, 1997

Management of Information Security Management of Information Security 22

IntroductionIntroductionInformation technology is critical to Information technology is critical to business and society business and society

Computer security is evolving into Computer security is evolving into information securityinformation security

Information security is the responsibility Information security is the responsibility of every member of an organization, of every member of an organization, but managers play a critical rolebut managers play a critical role


IntroductionIntroductionInformation security involves three Information security involves three distinct communities of interest:distinct communities of interest:

– Information Information securitysecurity managers and managers and professionals professionals

– Information Information technologytechnology managers and managers and professionals professionals

– Non-technical Non-technical businessbusiness managers and managers and professionals professionals


Communities of InterestCommunities of InterestInfoSec community: protect InfoSec community: protect information assets from threatsinformation assets from threatsIT community: support business IT community: support business objectives by supplying appropriate objectives by supplying appropriate information technologyinformation technologyBusiness community: policy and Business community: policy and resourcesresources


What Is Security?What Is Security?““The quality or state of being secureThe quality or state of being secure—to be free from danger” —to be free from danger”

Security is achieved using several Security is achieved using several strategies simultaneouslystrategies simultaneously


Specialized Areas of SecuritySpecialized Areas of SecurityPhysical securityPhysical securityPersonal securityPersonal securityOperations securityOperations securityCommunications securityCommunications securityNetwork securityNetwork securityInformation Security (InfoSec)Information Security (InfoSec)Computer SecurityComputer Security


Information SecurityInformation SecurityInfoSec includes information security InfoSec includes information security management, computer security, management, computer security, data security, and network securitydata security, and network security

Policy is central to all information Policy is central to all information security effortssecurity efforts


FIGURE 1-1FIGURE 1-1Components of Information Components of Information

SecuritySecurity


CIA TriangleCIA TriangleThe C.I.A. triangle is made up of: The C.I.A. triangle is made up of: – Confidentiality Confidentiality

– IntegrityIntegrity

– AvailabilityAvailability

Over time the list of characteristics has Over time the list of characteristics has expanded, but these three remain centralexpanded, but these three remain central


Figure 1-2 NSTISSC Security Figure 1-2 NSTISSC Security ModelModel


Key Concepts of Information Key Concepts of Information SecuritySecurity

ConfidentialityConfidentiality– Confidentiality of information ensures that Confidentiality of information ensures that

only those with sufficient privileges may only those with sufficient privileges may access certain informationaccess certain information

– To protect confidentiality of information, a To protect confidentiality of information, a number of measures may be used including:number of measures may be used including:

Information classificationInformation classificationSecure document storageSecure document storageApplication of general security policiesApplication of general security policiesEducation of information custodians and end Education of information custodians and end usersusers


Key Concepts of Information Key Concepts of Information SecuritySecurityIntegrity Integrity

– Integrity is the quality or state of being Integrity is the quality or state of being whole, complete, and uncorruptedwhole, complete, and uncorrupted

– The integrity of information is threatened The integrity of information is threatened when it is exposed to corruption, damage, when it is exposed to corruption, damage, destruction, or other disruption of its destruction, or other disruption of its authentic stateauthentic state

– Corruption can occur while information is Corruption can occur while information is being compiled, stored, or transmittedbeing compiled, stored, or transmitted



Availability Availability

– Availability is making information accessible Availability is making information accessible to user access without interference or to user access without interference or obstruction in the required formatobstruction in the required format

– A user in this definition may be either a A user in this definition may be either a person or another computer systemperson or another computer system

– Availability means availability to authorized Availability means availability to authorized usersusers



PrivacyPrivacy

– Information is to be used only for purposes Information is to be used only for purposes known to the data ownerknown to the data owner

– This does not focus on freedom from This does not focus on freedom from observation, but rather that information will observation, but rather that information will be used only in ways known to the ownerbe used only in ways known to the owner



IdentificationIdentification

– Information systems possess the Information systems possess the characteristic of identification when they are characteristic of identification when they are able to recognize individual usersable to recognize individual users

– Identification and authentication are Identification and authentication are essential to establishing the level of access essential to establishing the level of access or authorization that an individual is grantedor authorization that an individual is granted



AuthenticationAuthentication

– Authentication occurs when a control Authentication occurs when a control provides proof that a user possesses the provides proof that a user possesses the identity that he or she claimsidentity that he or she claims



AuthorizationAuthorization

– After the identity of a user is authenticated, After the identity of a user is authenticated, a process called authorization provides a process called authorization provides assurance that the user (whether a person assurance that the user (whether a person or a computer) has been specifically and or a computer) has been specifically and explicitly authorized by the proper authority explicitly authorized by the proper authority to access, update, or delete the contents of to access, update, or delete the contents of an information assetan information asset



AccountabilityAccountability

– The characteristic of accountability The characteristic of accountability exists when a control provides exists when a control provides assurance that every activity assurance that every activity undertaken can be attributed to a undertaken can be attributed to a named person or automated process named person or automated process


What Is Management?What Is Management?A process of achieving objectives using A process of achieving objectives using a given set of resourcesa given set of resources

To manage the information security To manage the information security process, first understand core principles process, first understand core principles of managementof management

A manager is “someone who works with A manager is “someone who works with and through other people by and through other people by coordinating their work activities in coordinating their work activities in order to accomplish organizational order to accomplish organizational goals” goals”


Managerial RolesManagerial RolesInformational role: Collecting, Informational role: Collecting, processing, and using information to processing, and using information to achieve the objectiveachieve the objective

Interpersonal role: Interacting with Interpersonal role: Interacting with superiors, subordinates, outside superiors, subordinates, outside stakeholders, and other stakeholders, and other

Decisional role: Selecting from Decisional role: Selecting from alternative approaches and resolving alternative approaches and resolving conflicts, dilemmas, or challengesconflicts, dilemmas, or challenges


Differences Between Differences Between Leadership and ManagementLeadership and ManagementThe leader influences employees so that The leader influences employees so that they are willing to accomplish objectivesthey are willing to accomplish objectivesHe or she is expected to lead by example He or she is expected to lead by example and demonstrate personal traits that instill and demonstrate personal traits that instill a desire in others to followa desire in others to followLeadership provides purpose, direction, Leadership provides purpose, direction, and motivation to those that followand motivation to those that follow


A Manager administer the resources A Manager administer the resources of the organization byof the organization by– Creating budgetsCreating budgets– Authorizes expendituresAuthorizes expenditures– Hires employeesHires employeesA Manager can also be a leader.A Manager can also be a leader.


Characteristics of a LeaderCharacteristics of a Leader

1.1.BearingBearing2.2.Courage Courage 3.3.Decisiveness Decisiveness 4.4.Dependability Dependability 5.5.Endurance Endurance 6.6.Enthusiasm Enthusiasm 7.7.Initiative Initiative

8.8.Integrity Integrity 9.9.Judgment Judgment 10.10.Justice Justice 11.11.Knowledge Knowledge 12.12.LoyaltyLoyalty13.13.Tact Tact 14.14.UnselfishnessUnselfishness


What Makes a Good Leader?What Makes a Good Leader?

Action plan for improvement of Action plan for improvement of leadership abilities leadership abilities 1.1. Knows and seeks self-improvementKnows and seeks self-improvement2.2. Be technically and tactically proficientBe technically and tactically proficient3.3. Seek responsibility and take Seek responsibility and take

responsibility for your actionsresponsibility for your actions4.4. Make sound and timely decisionsMake sound and timely decisions5.5. Set the exampleSet the example6.6. Knows [subordinates] and looks out for Knows [subordinates] and looks out for

their well-beingtheir well-being


What Makes a Good Leader? What Makes a Good Leader? (Continued)(Continued)

Action plan for improvement of Action plan for improvement of leadership abilities leadership abilities 7.7. Keeps subordinates informedKeeps subordinates informed8.8. Develops a sense of responsibility in Develops a sense of responsibility in

subordinatessubordinates9.9. Ensures the task is understood, supervised, Ensures the task is understood, supervised,

and accomplishedand accomplished10.10.Builds the teamBuilds the team11.11.Employs a team in accordance with its Employs a team in accordance with its

capabilitiescapabilities


Behavioral Types of LeadersBehavioral Types of LeadersThree basic behavioral types of leaders: Three basic behavioral types of leaders:

– Autocratic- action-oriented, “Do as I say” Autocratic- action-oriented, “Do as I say”

– Democratic – action-oriented and likely to be Democratic – action-oriented and likely to be less efficientless efficient

– Laissez-faire – laid-back.Laissez-faire – laid-back.


Characteristics of ManagementCharacteristics of ManagementTwo well-known approaches to Two well-known approaches to management: management:

– Traditional management theory using Traditional management theory using principles of planning, organizing, staffing, principles of planning, organizing, staffing, directing, and controlling (POSDC)directing, and controlling (POSDC)

– Popular management theory categorizes Popular management theory categorizes principles of management into planning, principles of management into planning, organizing, leading, and controlling (POLC)organizing, leading, and controlling (POLC)


PlanningPlanningPlanning: process that develops, Planning: process that develops, creates, and implements strategies for creates, and implements strategies for the accomplishment of objectivesthe accomplishment of objectivesThree levels of planning: Three levels of planning:

– Strategic – occurs at highest level of organizationStrategic – occurs at highest level of organization

– Tactical – focuses on production planning and Tactical – focuses on production planning and integrates organizational resourcesintegrates organizational resources

– Operational – focuses on day-to-day operations of Operational – focuses on day-to-day operations of local resourceslocal resources


Planning (Continued)Planning (Continued)In general, planning begins with the In general, planning begins with the strategic plan for the whole strategic plan for the whole organizationorganization

– To do this successfully, organization To do this successfully, organization must thoroughly define its goals and must thoroughly define its goals and objectivesobjectives


OrganizationOrganizationOrganization: is a principle of management Organization: is a principle of management dedicated to structuring of resources to support dedicated to structuring of resources to support the accomplishment of objectivesthe accomplishment of objectivesOrganizing tasks requires determining:Organizing tasks requires determining:– What is to be doneWhat is to be done– In what orderIn what order– By whomBy whom– By which methodsBy which methods– WhenWhen


LeadershipLeadershipEncourages the implementation of the Encourages the implementation of the planning and organizing functions, planning and organizing functions, including supervising employee behavior, including supervising employee behavior, performance, attendance, and attitudeperformance, attendance, and attitude

Leadership generally addresses the Leadership generally addresses the direction and motivation of the human direction and motivation of the human resourceresource


Control Control Control: Control:

– Monitoring progress toward completionMonitoring progress toward completion

– Making necessary adjustments to achieve the Making necessary adjustments to achieve the desired objectivesdesired objectives

Controlling function determines what must Controlling function determines what must be monitored as well using specific control be monitored as well using specific control tools to gather and evaluate informationtools to gather and evaluate information


Solving ProblemsSolving ProblemsAll managers face problems that All managers face problems that must be solved.must be solved.Step 1: Recognize and Define the ProblemStep 1: Recognize and Define the Problem

Step 2: Gather Facts and Make AssumptionsStep 2: Gather Facts and Make Assumptions

Step 3: Develop Possible SolutionsStep 3: Develop Possible Solutions

Step 4: Analyze and Compare the Possible Step 4: Analyze and Compare the Possible Solutions Solutions

Step 5: Select, Implement, and Evaluate a Solution Step 5: Select, Implement, and Evaluate a Solution


Principles Of Information Security Principles Of Information Security ManagementManagement

Information security management is part of the Information security management is part of the organizational management team.organizational management team.The extended characteristics of information security are The extended characteristics of information security are known as the six Ps:known as the six Ps:– PlanningPlanning– PolicyPolicy– ProgramsPrograms– ProtectionProtection– PeoplePeople– Project ManagementProject Management


InfoSec PlanningInfoSec PlanningPlanning as part of InfoSec management Planning as part of InfoSec management is an extension of the basic planning is an extension of the basic planning model discussed earlier in this chaptermodel discussed earlier in this chapter

Included in the InfoSec planning model Included in the InfoSec planning model are activities necessary to support the are activities necessary to support the design, creation, and implementation of design, creation, and implementation of information security strategies as they information security strategies as they exist within the IT planning environment exist within the IT planning environment


InfoSec Planning TypesInfoSec Planning TypesSeveral types of InfoSec plans exist:Several types of InfoSec plans exist:– Incident responseIncident response– Business continuityBusiness continuity– Disaster recoveryDisaster recovery– PolicyPolicy– PersonnelPersonnel– Technology rollout Technology rollout – Risk management and Risk management and – Security program including education, Security program including education,

training and awarenesstraining and awareness


PolicyPolicyPolicy: set of organizational guidelines Policy: set of organizational guidelines that dictates certain behavior within the that dictates certain behavior within the organizationorganization

In InfoSec, there are three general In InfoSec, there are three general categories of policy: categories of policy: – General program policy (Enterprise Security General program policy (Enterprise Security

Policy)Policy)

– An issue-specific security policy (ISSP) An issue-specific security policy (ISSP)

– System-specific policies (SSSPs) System-specific policies (SSSPs)


ProgramsProgramsPrograms: specific entities managed in Programs: specific entities managed in the information security domainthe information security domain

A security education training and A security education training and awareness (SETA) program is one such awareness (SETA) program is one such entityentity

Other programs that may emerge Other programs that may emerge include a physical security program, include a physical security program, complete with fire, physical access, complete with fire, physical access, gates, guards, and so ongates, guards, and so on


ProtectionProtectionRisk management activities, including Risk management activities, including risk assessment and control, as well as risk assessment and control, as well as protection mechanisms, technologies, protection mechanisms, technologies, and toolsand tools

Each of these mechanisms represents Each of these mechanisms represents some aspect of the management of some aspect of the management of specific controls in the overall information specific controls in the overall information security plansecurity plan


PeoplePeoplePeople are the most critical link in the People are the most critical link in the information security programinformation security program

It is imperative that managers It is imperative that managers continuously recognize the crucial role continuously recognize the crucial role that people playthat people play

Including information security personnel Including information security personnel and the security of personnel, as well as and the security of personnel, as well as aspects of the SETA programaspects of the SETA program


Project ManagementProject ManagementProject management discipline should Project management discipline should be present throughout all elements of be present throughout all elements of the information security programthe information security program

Involves Involves

– Identifying and controlling the resources Identifying and controlling the resources applied to the projectapplied to the project

– Measuring progress and adjusting the Measuring progress and adjusting the process as progress is made toward the process as progress is made toward the goalgoal

if this is the information superhighway, it’s going through a lot of bad, bad neighborhoods

Documents

information security

information assets

information accessible

information superhighway

data security

danger security

society computer security

threatsit community