Management Of Information Security PDF
Document Details
Dr. Nazar Abbas Saqib
Tags
Related
- Proeza Information Security Management for Supplier Relationships Policy (PDF)
- CISM Questions and Answers PDF
- SABSA Foundation F2 - Security Management & Design PDF
- International Business Information Systems - Introduction to Computer Security PDF
- MIS201 Final Exam Summer 2021 PDF
- CHAPTER 1- INFORMATION SECURITY MANEGEMENT PMJ.pdf
Summary
This document is an introduction to the management of information security. It covers topics such as security, management, and information security management. The document also provides a general overview of different concepts and principles in information security.
Full Transcript
Management of Information Security Chapter 1 Introduction to the Management of Information Security Dr. Nazar Abbas Saqib Management of Information Security, 1 6th Edition Objectives Descr...
Management of Information Security Chapter 1 Introduction to the Management of Information Security Dr. Nazar Abbas Saqib Management of Information Security, 1 6th Edition Objectives Describe the importance of the manager’s role in securing an organization’s use of information technology and explain who is responsible for protecting an organization’s information assets List and discuss the key characteristics of information security Discuss the key characteristics of leadership and management Differentiate information security management from general business management Identify and describe basic project management practices and techniques Management of Information Security, 6th Edition 2 © Cengage Learning 2014 Introduction Information technology (IT) – Enables the storage and transportation of information from one business unit to another – IT systems can break down Management of Information Security, 6th Edition 3 © Cengage Learning 2014 Introduction The concept of computer security has been replaced by the concept of information security – Covers a broader range of issues From protection of data to protection of human resources Information security is the responsibility of every employee, especially managers Management of Information Security, 6th Edition 4 © Cengage Learning 2014 Introduction Security funding and planning decisions should involve three distinct groups of decision makers, or communities of interest: – Information security community - protects the information assets of an organization Management of Information Security, 6th Edition 5 © Cengage Learning 2014 Introduction – Information technology community - supports the business objectives by supplying and supporting IT that is appropriate to the organization’s needs – General business community - articulates and communicates organizational policy and objectives and allocates resources to the other groups Management of Information Security, 6th Edition 6 © Cengage Learning 2014 Todays Lecture What is security? What is management? Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 7 © Cengage Learning 2014 What is Security? Security: the quality or state of being secure—to be free from danger To be secure is to be protected from the risk of loss, damage, unwanted modification, or other hazards Management of Information Security, 6th Edition 8 © Cengage Learning 2014 What is Security? Security is often achieved by means of several strategies undertaken simultaneously or used in combination with one another Management’s role is to ensure that each strategy is properly planned, organized, staffed, directed, and controlled Management of Information Security, 6th Edition 9 © Cengage Learning 2014 What is Security? Specialized areas of security include: – Physical security - protecting people, physical assets, and the workplace from various threats Fire, unauthorized access, and natural disasters Management of Information Security, 6th Edition 10 © Cengage Learning 2014 What is Security? – Operations security - protecting the operational activities without interruption or compromise – Communications security - protecting communications media, technology, and content – Network security - protecting data networking devices, connections, and contents Management of Information Security, 6th Edition 11 © Cengage Learning 2014 What is Information Security? Information security (InfoSec): the protection of information and its critical elements (confidentiality, integrity and availability), including the systems and hardware that use, store, and transmit that information Figure 1-1 Components of information security Management of Information Security, 6th Edition 12 Todays Lecture What is security? – CNSS security model – Key concepts of information security What is management? Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 13 © Cengage Learning 2014 CNSS Security Model NSTISSI (CNSS) Security Model – Also known as the McCumber Cube – Serves as the standard for understanding aspects of InfoSec – Main goal is to identify gaps in the coverage of an InfoSec program CNSS=Committee on National Security Systems NSTISSI = National Security Telecommunications and Information Systems Security Committee Management of Information Security, 6th Edition 14 © Cengage Learning 2014 CNSS Security Model – The model covers the three dimensions central to InfoSec: – Information characteristics – Information location – Security control categories Management of Information Security, 6th Edition 15 © Cengage Learning 2014 Figure 1-2 CNSS security model Who will explain this??? Management of Information Security, 6th Edition 16 © Cengage Learning 2014 CNSS Security Model Model is represented with a 3x3x3 cube with 27 cells Each cell represents an area of intersection among the three dimensions Management of Information Security, 6th Edition 17 © Cengage Learning 2014 Todays Lecture What is security? – CNSS security model – Key concepts of information security What is management? Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 18 © Cengage Learning 2014 Key Concepts of Information Security C.I.A. triangle: industry standard for computer security since the development of the mainframe – Confidentiality, – integrity, – availability are the characteristics of the original C.I.A triangle Management of Information Security, 6th Edition 19 © Cengage Learning 2014 Key Concepts of Information Security Due to today’s constantly changing IT environment, the C.I.A. triangle has been expanded to include: – Privacy, – identification, – authentication, – authorization, – accountability Management of Information Security, 6th Edition 20 © Cengage Learning 2014 Key Concepts of Information Security Confidentiality: only those with sufficient privileges and a demonstrated need may access it Measures used to protect the confidentiality of information: – Information classification – Secure document (and data) storage – Application of general security policies – Education of information custodians and end users – Cryptography (encryption) Closely related to privacy Management of Information Security, 6th Edition 21 © Cengage Learning 2014 Key Concepts of Information Security Integrity: the quality or state of being whole, complete, and uncorrupted – Information’s integrity is threatened when exposed to corruption, damage, destruction, or other disruption of its authentic state – Error-control techniques: use of redundancy bits and check bits Management of Information Security, 6th Edition 22 © Cengage Learning 2014 Key Concepts of Information Security Availability: authorized users have access to information in a usable format, without interference or obstruction Management of Information Security, 6th Edition 23 © Cengage Learning 2014 Key Concepts of Information Security Privacy: information will be used only in ways approved by the person who provided it – Many organizations collect, swap, and sell personal information Management of Information Security, 6th Edition 24 © Cengage Learning 2014 Key Concepts of Information Security Identification: when an information system is able to recognize individual users – First step in gaining access to secured material and serves as the foundation for subsequent authentication and authorization – Typically performed by means of a user name or ID Management of Information Security, 6th Edition 25 © Cengage Learning 2014 Key Concepts of Information Security Authentication: the process by which a control establishes whether a user (or system) has the identity it claims to have – Example: use of cryptographic certificates Management of Information Security, 6th Edition 26 © Cengage Learning 2014 Key Concepts of Information Security Authorization: a process that defines what an authenticated user has been specifically authorized by the proper authority to do – Example: access, modify, or delete information Accountability: occurs when a control provides assurance that every activity undertaken can be attributed to a named person or automated process Management of Information Security, 6th Edition 27 © Cengage Learning 2014 Todays Lecture What is security? What is management? Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 28 © Cengage Learning 2014 What is Management? Management: the process of achieving objectives using a given set of resources Any example (objective) ?? Management of Information Security, 6th Edition 29 © Cengage Learning 2014 What is Management? Roles of management: – Informational role - collecting, processing, and using information that can affect the completion of the objective – Interpersonal role - interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task – Decisional role - selecting from among alternative approaches and resolving conflicts or challenges Management of Information Security, 6th Edition 30 © Cengage Learning 2014 Todays Lecture What is security? What is management? – Behavioral types of leaders – Management characteristics – Solving problems Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 31 © Cengage Learning 2014 Behavioral Types of Leaders Three basic behavioral types: – Autocratic, – democratic, – laissez-faire Management of Information Security, 6th Edition 32 © Cengage Learning 2014 Behavioral Types of Leaders Autocratic leaders - reserve all decision-making responsibility for themselves – “Do as I say” types of managers Democratic leaders - seek input from all interested parties, requesting ideas and suggestions Management of Information Security, 6th Edition 33 © Cengage Learning 2014 Behavioral Types of Leaders Laissez-faire - known as the “laid-back” leader – Often sits back and allows the process to develop as it goes Management of Information Security, 6th Edition 34 © Cengage Learning 2014 Todays Lecture What is security? What is management? – Behavioral types of leaders – Management characteristics – Solving problems Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 35 © Cengage Learning 2014 Management Characteristics Two basic approaches to management: – Traditional management theory - uses the core principles of planning, organizing, staffing, directing, and controlling (POSDC) – Popular management theory - uses the core principles of planning, organizing, leading, and controlling (POLC) Management of Information Security, 6th Edition 36 © Cengage Learning 2014 Management Characteristics The traditional management theory is often well covered in business courses – This lecture will focus on the POLC principles Planning Organizing Leading Controlling Management of Information Security, 6th Edition 37 © Cengage Learning 2014 Management Characteristics Planning - process of developing, creating, and implementing strategies to accomplish objectives Management of Information Security, 6th Edition 38 © Cengage Learning 2014 Management Characteristics Three levels of planning: – Strategic planning - occurs at the highest levels of the organization and for a long period of time Management of Information Security, 6th Edition 39 © Cengage Learning 2014 Management Characteristics – Tactical planning - focuses on production planning and integrates organizational resources at a level below the entire enterprise – Operational planning - focuses on the day-to-day operations of local resources and occurs in the present or the short term Management of Information Security, 6th Edition 40 © Cengage Learning 2014 Management Characteristics Planning begins with the creation of strategic plans for the entire organization – Resulting plan is divided into planning elements relevant to each major business unit of the organization Management of Information Security, 6th Edition 41 © Cengage Learning 2014 Management Characteristics – Business units create business plans that meet the requirements of the overall organizational strategy – Plans are communicated to mid-level managers and supervisors to create operational plans Management of Information Security, 6th Edition 42 © Cengage Learning 2014 Management Characteristics Organizing: management function dedicated to the structuring of resources to support the accomplishment of objectives – Includes the structuring of departments and staff, the storage of raw materials to facilitate manufacturing, and the collection of information Management of Information Security, 6th Edition 43 © Cengage Learning 2014 Management Characteristics Leading: encouraging the implementation of the planning and organizing functions – Includes supervising employee behavior, performance, attendance, and attitude while ensuring completion of tasks, goals, and objectives Management of Information Security, 6th Edition 44 © Cengage Learning 2014 Management Characteristics Controlling: monitoring progress toward completion and making necessary adjustments to achieve desired objectives – Ensures the validity of the organization’s plan Management of Information Security, 6th Edition 45 © Cengage Learning 2014 Figure 1-4 The control process Management of Information Security, 6th Edition 46 © Cengage Learning 2014 Todays Lecture What is security? What is management? – Behavioral types of leaders – Management characteristics – Solving problems Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 47 © Cengage Learning 2014 Solving Problems Step 1: Recognize and define the problem Step 2: Gather facts and make assumptions Step 3: Develop possible solutions Step 4: Analyze and compare possible solutions Analysis may include reviewing economic, technological, behavioral, and operational feasibilities Step 5: Select, implement, and evaluate a solution Management of Information Security, 6th Edition 48 © Cengage Learning 2014 Todays Lecture What is security? What is management? Principles of information security management. Project management Applying project management to security Project management tools Management of Information Security, 6th Edition 49 © Cengage Learning 2014 Principles of Information Security Management The extended characteristics of information security are known as the six P’s – Planning – Policy – Programs – Protection – People – Projects Management of Information Security, 6th Edition 50 © Cengage Learning 2014 Planning The planning model includes activities necessary to support the design, creation, implementation of InfoSec strategies Management of Information Security, 6th Edition 51 © Cengage Learning 2014 Planning Types of InfoSec plans: – Incident response planning – Business continuity planning – Disaster recovery planning – Policy planning and Personnel planning – Technology rollout planning – Risk management planning and Security program planning Management of Information Security, 6th Edition 52 © Cengage Learning 2014 Policy Policy: the set of organizational guidelines that dictates certain behavior within the organization Behavior?? Management of Information Security, 6th Edition 53 © Cengage Learning 2014 Policy Three general policy categories: – Enterprise information security policy (EISP) - sets the tone for the InfoSec department – Issue-specific security policy (ISSP) - sets of rules that define acceptable behavior within a specific technology – System-specific policies (SysSPs) - control the configuration and/or use of a piece of equipment or technology Management of Information Security, 6th Edition 54 © Cengage Learning 2014 Programs Programs: InfoSec operations that are specifically managed as separate entities – Example: a security education training and awareness (SETA) program Management of Information Security, 6th Edition 55 © Cengage Learning 2014 Programs Other types of programs: – Physical security program complete with fire protection, physical access, gates, guards, etc. – Programs dedicated client/customer privacy and awareness Management of Information Security, 6th Edition 56 © Cengage Learning 2014 Protection Executed through risk management activities including: – Risk assessment and control – Protection mechanisms – Technologies – Tools Management of Information Security, 6th Edition 57 © Cengage Learning 2014 Protection – Each of these mechanisms represents some aspect of the management of specific controls in the overall InfoSec plan Management of Information Security, 6th Edition 58 © Cengage Learning 2014 People and Projects People are the most critical link in the InfoSec program – Encompasses security personnel Each process undertaken by the InfoSec group should be managed as a project – Example: implementing a new firewall Management of Information Security, 6th Edition 59 © Cengage Learning 2014 Summary The concept of computer security has been replaced by the concept of InfoSec Organizations often have three communities of interest: InfoSec managers and professionals, IT managers and professionals, and nontechnical managers and professionals In its simplest form, management is the process of achieving objectives by using resources The traditional approach to management theory uses the core principles of planning, organizing, staffing, directing, and controlling (POSDC) Management of Information Security, 6th Edition 60 © Cengage Learning 2014 Summary The process that develops, creates, and implements strategies for the accomplishment of objectives is called “planning” InfoSec management operates like all other management units, but the goals and objectives of the InfoSec management team are different in that they focus on the secure operation of the organization Project management is the application of knowledge, skills, tools, and techniques to project activities to meet project requirements Management of Information Security, 6th Edition 61 © Cengage Learning 2014 Summary The creation of a project plan can be accomplished using a very simple planning tool, such as the work breakdown structure (WBS) A set of methods that can be used to sequence the tasks and subtasks in a project plan is known as “network scheduling” Automated project management tools can assist experienced project managers in the complexities of managing a large project but may get in the way when used on simple projects Management of Information Security, 6th Edition 62 © Cengage Learning 2014
