INFORMATION SECURITY MANAGEMENT

LECTURE 5: DEVELOPING THE SECURITY PROGRAM

You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Introduction: Information Security Program

The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis1

Ex. Federal Government Security

Ex. University of Washington

1ISACA, CISM® Review Manual 2008, USA, 2007, p. 34

Organizing for Security

• Variables involved in structuring an information security program:

Does Size Matter? :Approaches to Programs

• Larger Organization

• Medium Sized Organization

• Small Business

Security: Very Large Organizations

Security budgets often grow faster than IT budgets

Even with a large budget, the average amount spent on security per user is still smaller than any other type of organization

Security: Large Organizations

Security approach has often matured, integrating planning and policy into the organization’s culture

One approach separates functions into four areas:– Non-technology business units outside of IT– IT groups outside of information security area– Information Security Dept. (customer service)– Information Security Dept. (compliance)

Security: Large Organizations (cont’d.)

• The CISO has responsibility for information security functions

• The deployment of full-time security personnel depends on:– Sensitivity of the information to be protected– Industry regulations– General profitability– Budgetary Constraints

Security: Medium-Sized Organizations

Security: Small Organizations

Components of the Security Program

• Organization’s information security needs– Unique to the culture, size, and budget of the

organization

• Determining what level the information security program operates on depends on the organization’s strategic plan

http://www.isaca.org/Journal/Past-Issues/2009/Volume-5/Pages/JOnline-Information-Security-Program-Establishing-It-the-Right-Way-for-Continued-Success.aspx

Critical Elements of the Security Program

• Senior management commitment to information security initiatives

• Management understanding of information security issues• Information security planning prior to implementation of new

technologies• Integration between business and information security• Alignment of information security with the organization’s

objectives• Executive and line management ownership and accountability

for implementing, monitoring and reporting on information security

Additionally:• Appropriate employee SETA on asset protection• Consistent enforcement of InfoSec policies/standards• Ability to cost-justify security

http://www.isaca.org/Knowledge-Center/Research/Documents/Critical-Elements-of-Information-Security-Program-Success_res_Eng_0105.pdf

Information Security Roles and Titles

• Types of information security positions– Those that define– Those that build– Those that administer

• A typical organization has a number of individuals with information security responsibilities

Implementing Security Education, Training, and Awareness Programs• SETA program

• Benefits• Purpose

SETA: Security Education

• Employees within information security may be encouraged to seek a formal education• Depth of knowledge

• Some organizations may refer to the certifications offered in that field

SETA: Security Education Developing Education Program

• Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains

• Course design– Should enable a student to obtain the required

knowledge and skills upon completion of the program – Identify the prerequisite knowledge for each class

SETA: Security Training

• Involves providing detailed information and hands-on instruction

• Management can either develop customized training or outsource

• Customizing training for users:• Functional Background• Skill Level

SETA: Training Techniques

• Using the wrong method can hinder the transfer of knowledge

• Good training programs• Training is often for one or a few individuals• Selection of the training delivery method

– Not always based on the best outcome for the trainee

Types of Delivery Methods

One-on-one Computer-based training (CBT)

Formal class Distance learning & web seminars

On-the-job training Self-study (non-computerized)

User support group

SETA: Security Awareness

• Less frequently implemented, but most effective security methods

• Security awareness programs:

– Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure

– Remind users of the procedures to be followed

SETA: Security Awareness (cont’d.)

• Best practices:– Focus on people – Refrain from using technical jargon– Use every available venue – Define learning objectives, state them clearly, and

provide sufficient detail and coverage– Keep things light– Don’t overload the users – Help users understand their roles in InfoSec– Take advantage of in-house communications media – Make the awareness program formal

• Plan and document all actions– Provide good information early, rather than perfect

information late

SETA: Security Awareness (cont’d.)

• Commandments of information security awareness training– Information security is a people issue– Speak their language– If they cannot see it, they will not learn it– Make your point, support it, and conclude it– Always let the recipients know how the behavior

that you request will affect them– Formalize your training methodology– Always be timely

SETA: Security Awareness (cont’d.)

• Designed to modify any employee behavior that endangers the security of the organization’s information

• Effective programs make employees accountable for their actions

• Dissemination and enforcement of policy become easier

• Demonstrating due care and due diligence can help indemnify the institution against lawsuits

SETA: Security Awareness (cont’d.)

• Awareness can take on different forms for particular audiences

• A security awareness program can use many methods to deliver its message

• Recognize that people tend to practice a tuning out process (acclimation)

SETA: Security Awareness (cont’d.)

• Many security awareness components are available at little or no cost – Others can be very expensive

• Examples of security awareness components– Videos

– Another One– Posters and banners– Lectures and conferences– Computer-based training

Case Discussion: Safety Approach to IS Communications

• Security Communications

• Mental Models

• Risk Perception

• Risk Compensation

Security Awareness (cont’d.)

• Organizations can establish Web pages or sites dedicated to promoting information security awareness

• Tips on creating and maintaining an educational Web site (cont’d.)– Keep page loading time to a minimum– Seek feedback– Assume nothing and check everything– Spend time promoting your site

Case: Making InfoSec User Friendly

• User mentality• Approach to information assets

• Loss of information

• Improving the current model/approach to InfoSec

Case: Positive Outcomes for Awareness Training

Technology alone cannot deal with all information security risks

Discussion Topics

Discuss the advantages and disadvantages of nesting the information security role within the information technology (IT) part of the organization.

Discuss posters, trinkets, and Web sites as information security awareness methods. What are some advantages and disadvantages of each method? Which do you think is the best method and why?

Useful Resources

• Building an SETA program

• Microsoft Security Awareness

Summary

• Organizing for security• Placing information security within an

organization• Components of the security program• Information security roles and titles• Implementing security education, training, and

awareness programs

Reminders

• Next Week• Security Management Models

• Demo Project – Start to brainstorm

• Term Paper• Need topic by next week