CHAPTER 1- INFORMATION SECURITY MANEGEMENT PMJ.pdf

Full Transcript

CHAPTER 1.0

INTRODUCTION
TO SECURITY
MANAGEMENT
COURSE LEARNING OUTCOME
1.1 Apply the idea of information security management

1.1.1 Describe the security management in an organization

1.1.2 Describe the Information Security Management

1.1.3 Define the best practices information security

1.2 Practice the organization principle

1.2.1 Define the Logical Division work

1.2.2 Define the Clear lines of Authority and Responsibility

1.2.3 Define the Span of Control

1.2.4 Define the Unity of Command 1.2.5 Define Responsibilities, Authority,
and Accountability
COURSE LEARNING OUTCOME
1.3 Construct the education and awareness in the organization

1.3.1 Justify the lack of awareness of the underlying risk and how to deal
with them

1.3.2 Explains the Education Awareness

a. Management awareness

b. Technology trap

c. Awareness of end users
1.1 APPLY THE IDEA OF
INFORMATION
SECURITY
MANAGEMENT
 DEFINITIONS OF ISMS
Preservation of confidentiality, integrity and availability of information.
Other properties, such as authenticity, accountability, non-repudiation and
reliability can also be involve, (ISO/IEC 27000 : 2009)

The protection on information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability, (CNSS, 2010)

Ensures that only authorized users have access to accurate and complete
information when required. (ISACA, 2008)

“..information security is a risk management discipline, whose job is to
manage the cost of information risk to the business.” (McDermott and Geer,
2011)
1.1 SECURITY MANAGEMENT IN
ORGANIZATION
An organization need to identify and manage many activities.

The application with the identify a system of process within an organization refer
process approach

Need to establish policy and encourages its user to :

⚫ Understanding an organization’s information security requirement

⚫ Implementing and operating control

⚫ Monitoring and reviewing performance and effectiveness of the ISMS

⚫ Continual improvement base on objective measurement
1.1 SECURITY MANAGEMENT IN ORGANIZATION
1.1 SECURITY MANAGEMENT IN ORGANIZATION

Internal organization Objective:

A management framework should be established to initiate and control the implementation of
information security within the organization.

Management commitment to information security Management:

should actively support security within the organization through clear direction, demonstrated
commitment, explicit assignment, and acknowledgement of information security responsibilities.
ISMS

The best practice of defending
information from unauthorized
access, use disclosure,
disruption, modification,
perusal, inspection, recording or
SECURITY
COMPANY destruction.
ISMS
Is define as that part of the overall
management system, base on
business risk approach, to establish,
implement, operate, monitor, review,
maintain and improve information
security. The management system,
which includes organizational
SECURITY structures, policies, planning
COMPANY activities, responsibilities, practice,
procedures, processes and resources;
Is important due to evolving risks and
the need to be
THE BEST
PRACTISES OF
INFORMATION
SECURITY
BEST PRACTICES
1.2 PRACTICE THE
ORGANIZATION
PRINCIPLE
1.2 WHAT IS ORGANIZATION PRINCIPLE

Is a guiding idea that is used to direct a society,
organization or initiative.

May develop a complex set of principles,
strategies,policies and procedure

Principles are the guidelines for managerial thinking and
action. They help in effectively carrying out the organising
function.
Logical Division Work:

While structuring organization, division of work, at the
very outset, should be considered as the basis of
efficiency.

It is an established fact that group of individuals can
secure better results by having division of work.

Therefore, while designing the organization, we should
aim at making suitable grouping of activities. This is
also called the principle of specialization.
 Clear Lines of Authority and Responsibility:
Authority and responsibility should go hand-in- hand.

Responsibility means obligation to carry out the assigned task. To carry
out the task, authority must be delegated to every person.

Conversely, given the authority, responsibility (tasks assigned) should be
within the scope of authority.

Authority without responsibility will result in misuse of authority and
responsibility without authority will result in poor performance.

There should be parity between authority and responsibility.
 Span of Control

Span of control means the number of subordinates over which a
superior can exercise successful control.

The number of subordinates under a superior depends on the
nature of work. Generally speaking a superior can have successful
control over five or six subordinates.

Therefore, there should not be a superior in the organisation
having more subordinates or even less than that.

In both the circumstances the work performance will be affected.
 Unity Of Command
One subordinate should have one boss.

People should receive orders from their immediate boss only.

This brings discipline and order in the organisation.

Receiving orders from two or more bosses can create confusion and
indiscipline.

Unity of command creates commitment, responsibility and consistency
in directions issued by superiors.
 Responsibilities,Authority and Accountabality
Responsibility : It is an obligation of a sub-ordinate to perform assigned
duties. It is always bonded between superior and sub-ordinate. When
superior assigns any duty or work to sub-ordinate by his authority it
becomes a responsibility on the part of sub-ordinate to perform that
duty.

Denotes an obligation of an individual to do his assigned job satisfactorily
to the best of his ability.

George R. Terry has put it -“Responsibility is the obligation of a person to
achieve the results mutually determined by means of participation by his
superiors and himself.”
 Responsibilities,Authority and Accountabality
Authority : means ‘Legal or rightful power, a right to command or to act’.
Applied to the managerial jobs, the power of the superior to command
the subordinate to act or not to act in a particular manner

According to George R. Terry—”Authority is official and legal right to
command action by others and to enforce compliance.— In this way
authority is exercised”—
(i) by making decision, and
(ii) by seeing that they are carried out through,
(a) persuasion,
(b) sanctions,
(c) requests, and
(d) even coercion, constraint or force.
 Responsibilities,Authority and Accountabality

Accountability: Accountability is the obligation to carry out responsibility
and exercise authority in terms of performance standards established.
Accountability is most meaningful if standards for performances are
predetermined and if they are fully understood and accepted by the
subordinates.

Responsibility is a derivative of work to be performed and authority is
derived from responsibility, accountability in turn, is a logical derivative of
authority.

Creation of accountability is the process of justifying the granting of
authority to a sub-ordinate for the accomplishment of a particular task
1.3 CONSTRUCT THE
EDUCATION AND
AWARENESS IN THE
ORGANIZATION
THE SECURITY AWARENESS AND EDUCATION

Information assurance : is achieved only when the
information and its systems are protected against
attacks by means of the application security.

Aspect To Achieve Information Assurance:
CONFIDENTIALITY
INTEGRITY
AVAILIABILITY
NON-REPUDIATION
AUTHENTICITION
LACK OF
AWARENESS
1.3 EDUCATION AND AWARENESS IN THE ORGANIZATION

VIDEO 1 VIDEO 2
https://youtu.be/1A- https://youtu.be/DUY9nWcTRpY
NhegITyI
https://youtu.be/o_58rBduAqQ
INDIVIDUAL/GROUP TASK:

Find out at least 5 most common security awareness
mistakes that need to avoid in 2021 and how to deal
with them.
Write a brief summary report of your findings.
Management Awareness
All of the most advanced, high-tech cybersecurity tools in the world won't protect your
business from data breaches if your employees aren't well-informed about best
practices for data protection.

Errors are part of the cause of 21 percent of data breaches, according to Verizon's 2019
Data Breach Investigations Report.

Hackers commonly employ tactics like phishing and other social engineering strategies
to get company employees to open the door to sensitive data. That's why ongoing
awareness training is perhaps the most important security solution of all

Employee Security Awareness Training : https://youtu.be/2Cz5TAbnK5w
ACTIVITY:

Identify the steps every
business should take to
improve security
awareness.
Technology Trap

Technologies can have harmful effects on users' psychological health, on
society, and on the environment.

"Technology traps" arise when users and societies become stuck with
technologies and the harmful consequences produced by these technologies.

Five technology traps:

1. Peer Technology
2. CPA Firms are Different
3. Stability
4. Believing you are a Leader
5. Getting High on Your Own Supply
ACTIVITY:

Using mind map, identify
the step to avoid
technology trap.
Awareness of end users
The growing need for security awareness training is based on the rising use of technology in
our daily lives.

We are driven to make sure that those who are responsible for the implementation and
maintenance of technology assets – developers, network administrators, IT staff, etc. – are
well-trained in order to prevent security incidents and breaches.

However, our focus on the technological aspect of security awareness, we can often lose
sight of a much larger group of people who are an essential part of overall security – end
users.

An end user is an employee who uses the hardware and software assets of your
organization in order to perform their job duties.

End user security awareness training can supports their roles and job functions.
 Awareness of end users
Best awareness training for end users:

1. Data Classification and Privacy.
2. Anti-Phishing and social engineering.
3. Email Management
4. Physical access controls.
5. Data-backups
6. Software patches and updates
7. Anti-virus and anti-ransomware applications.
8. Web browsing
9. Impact of personal cyber security habits.
10. Use of wireless networks.
 END OF
CHAPTER 1

THANK YOU