MIT Quiz 3 PDF

AIS 5131 - MANAGING INFORMATION TECHNOLOGY Chapter 4: Organizational Structure - Strategic direction Part 1 – Section A - Impetus (stimulus/boost) - Commitment...

AIS 5131 - MANAGING INFORMATION TECHNOLOGY Chapter 4: Organizational Structure - Strategic direction Part 1 – Section A - Impetus (stimulus/boost) - Commitment - Resources - Assignment of responsibility for information security management Organizational Structure - Means for the board to determine that its Key component to governance intent has been met Identiﬁes the key decision-making entities in an enterprise. Effective information security governance can be accomplished only ★ Actual organizational structures may by: differ depending on the size, industry ➔ Involvement of the board of and location of an enterprise directors and/or senior management in approving policy IT Governing Committees ➔ Ensuring appropriate monitoring Traditionally, organizations have high ➔ Reviewing metrics, reports and executive-level steering committees to trend analysis handle organization wide IT issues Executive-level steering committees: Board of Directors (BOD) handle IT issues organization-wide BOD: need to be aware of organization’s IT strategy and steering levels: clear information assets and their criticality; understanding awareness can be done by: Other executive-and Providing the BOD with the high-level mid-management-led committees: guide results of comprehensive risk IT operations, such as: assessments and business impact 1. An IT executive committee analysis (BIA); to perform their tasks 2. IT Governance committee respectively 3. IT Investment committee Having a business dependency 4. IT management committee assessments of information resources Document issued by ISACA on IT Strategy (include approval by the BOD of the and Steering Committees assessment of key assets to be ➔ IT Strategy Committee: Responsibility - protected); helps ensure the protection providing insight and advice; Topic – IT level and priorities are appropriate to a strategy and strategic IT issues; standard of due care Composition – Board members & Tone at the top: should be conducive to specialists effective security governance ➔ IT Steering Committee: Responsibility - Senior management and lower-level Decision making & approval; Focus of task personnel: both should abide by security – more of control, delivery, and measures implementation; Composition – Senior management endorsement of executives of per department intrinsic/essential security requirements: Roles And Responsibilities of Senior basis to ensure security expectations are Management and Boards of Directors met at all levels of the enterprise. Information security governance requires: Penalties for noncompliance: be deﬁned, ➔ Serves as an effective communicated, and enforced at all levels communications channel from the board level & down ➔ Provides an ongoing basis for BOD: accountable and liable body for the ensuring the alignment of the security organization program with business objectives ➔ Be instrumental in achieving Accountability: taking responsibility to modiﬁcation of behavior toward a ensure that the organization: culture more conducive to good ➔ follows the laws security ➔ behaves in an ethical manner ➔ makes eﬃcient use of its resources Chief Information Security Oﬃcer (CISO): drives the information security program: Senior Management To have realistic policies, standards, Implementing effective security procedures and processes that are governance and deﬁning strategic security implementable and auditable objectives: are complex tasks; must have To achieve a balance of performance leadership & must be supported in relation to security continuously by the executive management Information security standards committee Integration and cooperation of business (ISSC): deliberating committee; means to process owners are required necessarily involve affected groups Successful outcome of integration: alignment of information security activities ❖ The ISSC: included members from with business objectives C-level executive management and The extent of the achievement of outcome: senior managers from IT, application determines the cost effectiveness of owners, business process owners, information security program operations, HR, audit and legal Objectives of information security ➔ C-level executive: high-ranking or program: senior executives; C means a) Provide deﬁned level of assurance for “Chief”; business information and processes Examples of C-level executives: b) Provide acceptable level of impact - Chief executive oﬃcer (CEO) from adverse events - Chief operating oﬃcer (COO) - Chief marketing oﬃcer (CMO) Information Security Standards - Chief ﬁnancial oﬃcer (CFO) Committee - Chief information oﬃcer (CIO) Security affects all aspects of an organization to some extent Chief Information Security Oﬃcer (CISO) Security must be pervasive (widespread) All organizations have a CISO, whether or throughout the enterprise to be effective not anyone holds the exact title (equivalent Steering committee: used to involve all position of CIO or CISO responsible for stakeholders affected by security information security) considerations; use the steering Responsibilities of CISO: may be committee that consists of senior performed by the CIO (Chief Information representatives of affected groups Oﬃcer; head of the IT), CTO (Chief Technical Oﬃcer), CFO or, in some cases, Use of Steering Committee the CEO (even if there is an information ➔ Facilitates achieving consensus of security oﬃcer in place) priorities and trade-offs Information Security: due to its scope, requires a senior oﬃcer or top management responsibility; could be a Primary Functions: CRO (Chief Risk Oﬃcer) or a CCO (Chief IT Steering Committee: serves general Compliance Oﬃcer) review board for major IS projects; no Legal Responsibility: extend up the involvement in routine operations command structure and reside with senior 1) Reviewing the long- and short-range management and the BOD plans of IT department to ensure Failure to recognize the above and alignment with corporate objectives implement appropriate governance 2) Reviewing and approving major structures: acquisitions of hardware and Can result to senior management software, within the limits reviewed being unaware of the responsibility and approved and liability 3) Approving and monitoring major Results in a lack of effective alignment projects and the status of IS plans and of business objectives and security budgets, establishing priorities, activities approving standards and procedures, Prudent (Far-sighted or Careful) and monitoring overall IS performance management: elevating the security oﬃcer 4) Reviewing and approving sourcing position to a senior management position, strategies for selected or all IS as organizations increasingly recognize activities, including insourcing, their dependence on information and the outsourcing, and the globalization for growing threats within offshoring 5) Reviewing adequacy of resources and IT Steering Committee allocation of resources in terms of: One of the most important committee A. Time Steering committee: oversees IT function B. Personnel and its activities C. Equipment High-level steering committee for information systems: important to ensure 6) Making decisions on centralization the IT department is in harmony with the versus decentralization and corporate mission and objectives assignment of responsibility Desirable practice: member of BOD who 7) Supporting development and understands the risks/issues is implementation of an enterprise-wide responsible for IT and chair of the information security management committee program Committee composition: representatives 8) Reporting to the board of directors on from senior management, each line of IS activities business, and corporate departments such as the HR, Finance, and IT Note on the Responsibilities of the IT Requirements: Steering Committee Duties and responsibilities: deﬁned in a Responsibilities: vary from enterprise formal charter to enterprise Members: Responsibilities mentioned: most ➔ Should know IT department common responsibilities of the IT policies, procedures and practices Steering Committee ➔ Should have the authority to make Formally documented and approved decisions within their groups terms of reference: should be present IS auditors: should be familiarized with IT steering committee documentation and understand major responsibilities assigned to its Chapter 4: Organizational Structure members Part 1 – Section B IT Steering Committee: may be of a different name IS auditor: needs to identify the group that performs the functions discussed IT Organizational Structure and Responsibilities Matrix of Outcomes and Responsibilities The relationships between the outcomes IT Department: can be structured in of effective security governance and different ways management responsibilities are shown in Organizational chart: includes functions ﬁgure 2.4 related to security, application - Matrix: not meant to be development and maintenance, technical comprehensive; intended to indicate support for network and systems some primary tasks and the administration, and operations management level responsible for the IT Department: typically headed by an IT tasks manager/director or CIO (Chief - Titles may vary, but the roles and Information Oﬃcer) responsibilities should exist, even if different labels are used Notes on Speciﬁc Job Responsibilities - CISA exam: not test speciﬁc job 1. BOD: Require and oversees activities; responsibilities oversight; recipients of the reports; - Universally known responsibilities: might establish risk tolerance. be tested 2. Executive Management: Institute, procure, and provide activities; require case study IT Roles and Responsibilities of security activities, and monitor (Introduction) regulatory compliance. Organizational chart: important for all 3. Steering Committee: Review security employees to know; provides a clear strategy; ensure that business owners deﬁnition of the department’s hierarchy support integration; identify emerging risk; and authorities identify and review business processes. Job descriptions, RACI (Responsible, 4. CISO: Performs activities that develop, Accountable, Consulted, Informed) charts, ensure, enforce, liaise, or coordinate and swimlane workﬂow diagrams: provide activities; the level/position that requires a more complete and clear direction the most action of implementation; regarding employees’ roles and monitor effectiveness of security responsibilities resources. IS auditor: should observe and determine 5. Audit Executives: Evaluate and report whether the formal job description and aspects of the security governance structures coincide with real ones, and are committee; focus of evaluation and adequate reporting is the alignment, results, eﬃciency, and effectiveness. IT Functions that should be reviewed: a) Systems Development Manager Responsible for programmers and analysts who implement new systems and maintain existing systems b) Project Management “End user” vs “User” Project managers: responsible for End user: more speciﬁc; someone who planning and executing IS projects; will access a business application may report to a project management User: broader; could refer to oﬃce or to the development administrative accounts and accounts organization; play a central role in to access platforms; executing the vision of the IT strategy Platform: set of technologies used as and IT steering committees a base upon which other applications Project management staff: uses are developed; basic hardware budgets for the delivery of IS (computer) and software (operating initiatives and report on project system) progress to the IT steering committee e) End-User Support Manager c) Help Desk (service desk) Acts as a liaison between the IT Help desk function: critical for IT department and the end users departments f) Data Management Help desk: responds to technical Data management personnel are: questions and problems faced by Responsible for the data architecture users in larger IT environments Most software companies have help Tasked with managing data as desks corporate assets Questions and answers can be delivered by telephone, fax, email, g) Quality Assurance (QA) Manager instant messaging Responsible for negotiating and Help desk personnel: may use facilitating quality activities in all areas third-party help desk software to of IT quickly ﬁnd answers to common h) Information security management questions. Needs to be separate from the IT Procedure to record the problems department and headed by a CISO should be in place for analysis of the CISO reporting to the CIO: may be problems direct or indirect (dotted-line) Help desk/support administration Possible conﬂict between CISO and includes the following activities CIO: CIO focuses on eﬃciently (generally for the end users): providing continuous IT services while 1. Acquire hardware/software CISO focuses on quality of protection (HW/SW) 2. Assist with HW/SW diﬃculties Other Major IT Functions: 3. Provide training in the use HW/SW and databases; answer queries 1) Vendor and Outsourcer Management 4. Monitor technical developments Dedicated staff: may be required to and inform pertinent manage the vendors and outsources developments due to the increase in outsourcing 5. Determine the source of problems The staff performs the following and initiate corrective actions; functions: inform problems with HW/SW or - Acting as the prime contact for databases vendors and outsources within the 6. Initiate changes for eﬃciency IT function d) End User - Providing direction on issues and End users: responsible for operations escalating internally within the related to business application organization and IT function services - Monitoring and reporting on the Personnel in user departments: service levels to management performs their data entry online - Reviewing changes to the contract Data: captured from the original due to new requirements and source, e.g., electronic data obtaining IT approvals interchange [EDI] input documents and data captured from bar codes 2) Infrastructure Operations and User department and the system Maintenance application: must have controls in Operations manager: responsible for place to ensure that data are validated, computer operations personnel (e.g. accurate, complete, and authorized computer operators, librarians, schedulers, data control personnel) 5) Supervisory Control and Data Acquisition Data center: includes the servers and (SCADA) mainframe, peripherals, networking Automated systems for data equipment, magnetic media, and acquisition: deployed by organizations storage area networks; a major asset SCADA: centralized systems that investment monitor and control entire sites, or Control group is responsible for: complexes of systems spread out over - the collection, conversion and large areas control of input SCADA systems: for industrial plants, - the balancing and distribution of steel mills, power plants, electrical output to the user community facilities and similar Supervisor of control group: reports to Remote terminal units (RTUs) or the IPF (Information Processing programmable logic controllers Facility) operations manager (PLCs): perform automatic site control Input/output control group: should be Host control functions: restricted to in a separate area for authorized basic site overriding or supervisory personnel only since they handle level intervention sensitive data. - Example: automated systems used on oil rigs, to measure and control 3) Media Management the extraction of oil, and to control Required to record, issue, receive and the temperature and ﬂow of water safeguard all program and data ﬁles Data acquisition: begins at the RTU or maintained on removable media PLC level; includes meter readings and May be assigned to a full-time equipment status reports individual, or a member of operations History log: may also be used to who also performs other duties receive/hold data, for trending and A crucial function; therefore, many other analytical auditing organizations provide additional SCADA applications traditionally used support through the use of software dedicated communication lines, but that assists in: there has been a signiﬁcant migration ➔ Maintaining inventory to the Internet ➔ Movement Advantage of using the Internet: easier ➔ Version control, and integration in the business ➔ Conﬁguration management applications Disadvantage of using the Internet: 4) Data Entry companies are nation-critical Critical to the information processing infrastructures and become easy prey activity; includes batch entry or online to cyberattacks entry 6) Systems Administration Functions of the security administrator: Responsible for maintaining major I. Maintaining access rules multiuser computer systems, II. Maintaining security and including: conﬁdentiality for user IDs and ➔ Local area networks (LANs) passwords ➔ Wireless local area networks III. Monitoring security violations and (WLANs) taking corrective action ➔ Wide area networks (WANs) IV. Reviewing and evaluating the security ➔ Virtual machine/server/network policy and suggesting necessary environments changes ➔ Personal area networks (PANs) V. Preparing and monitoring the security ➔ Storage area networks (SANs) awareness program ➔ Intranets and extranets VI. Testing the security architecture ➔ Mid-range and mainframe VII. Working with compliance, risk systems management and audit functions for Duties of the systems administrator: designing and updating security - Adding and conﬁguring new workstations and peripherals 8) Database Administration - Setting up user accounts Database administrator (DBA): - Installing system-wide software Custodian; deﬁnes and maintains the - Performing procedures to data structures in the corporate prevent/detect/correct the spread database system of viruses Must understand the organization - Allocating mass storage space and user data and data relationship requirements Single administrator or team of Responsible for the security of the administrators shared data stored on database Some mainframe-centric systems organizations: may refer a systems Reports directly to the director of administrator as a systems the IPF (Information Processing programmer Facility) 7) Security Administration DBA’s role: Begins with management’s I. Specifying the physical data commitment deﬁnition Management: must understand and II. Changing the physical data deﬁnition evaluate security risk; must develop III. Selecting and implementing database and enforce a written policy stating optimization tools the standards and procedures IV. Testing and evaluating programming Duties of the security administrator: be and optimization tools deﬁned in the policy V. Answering programmer queries and Security administrator: be full-time educating programmers in the employee (for proper SOD); may report database structures to the infrastructure director; not VI. Implementing database deﬁnition practical as full-time employee, for controls, access controls, update small organization controls and concurrency controls Security administrator: should ensure VII. Monitoring database usage, users comply with the corporate collecting performance statistics and security policy; should ensure controls tuning the database are adequate to prevent unauthorized VIII. Deﬁning and initiating backup and access to the company assets recovery procedures architecture diagrams vs program DBA: speciﬁcations) - Has tools to establish controls over Compliance, risk management and the database and the ability to audit functions: security architects override these controls should work with these - Has the capability of gaining access to all data; usually not practical to 11) System Security Engineer prohibit or completely prevent DBA The system security engineer (under access to production data ISO/IEC 21827:2008: Information technology—Security ★ IT department must exercise close techniques—Systems Security control over database administration Engineering—Capability Maturity through: Model) provides technical information ➔ SoD system security engineering support ➔ Management approval of DBA to the organization that encompasses activities the following: ➔ Supervisor review of access logs I. Project life cycles and activities II. Entire organizations ➔ Detective controls over the use of III. Concurrent interactions with database tools other disciplines IV. Interactions with other 9) Systems Analysts organizations Specialists who design systems based on the user needs; involved during the 12) Applications Development and initial phase of the system Maintenance development life cycle (SDLC) Applications staff: Interpret the needs of the user; ➔ Responsible for developing and develop requirements and functional maintaining applications; speciﬁcations, as well as high-level development can include design documents developing new code or changing High-level design documents: enable the existing setup or conﬁguration programmers to create a speciﬁc of the application application ➔ Develops the programs or 10) Security Architect changes the application setup that Evaluate security technologies will run in a production Design security aspects of the environment; therefore, network topology, access control, management must ensure that identity management and other staff cannot modify production security systems programs or application data. Establish security policies and security ➔ Should work in a test-only requirements environment and turn their work to another group to move programs Security Architects vs Systems and application changes into the Analysts production environment - Both may perform the same role, but required set of skills is 13) Infrastructure Development and different Maintenance - Their deliverables are different Infrastructure staff: (policies, requirements, - Responsible for maintaining the systems software - Maybe required to have broad ➔ May be responsible for security access to the entire system administration over the LAN Electronic logs: used by IT ➔ Should have no application management to monitor the staff; programming responsibilities but should capture maintenance activities may have systems programming of the staff; should not be susceptible and end-user responsibilities to alteration Infrastructure staff: access to only the system libraries of the speciﬁc software they maintain Usage of domain administration and superuser accounts: controlled and monitored 14) Network Management Organizations: have widely dispersed IPFs (Information Processing Facilities); may have a central IPF, but make use of: LANs WANs, where LANs may be interconnected Wireless networks Network administrators: responsible for key components of the network infrastructure (e.g routers, switches, ﬁrewalls, network segmentation, performance management, remote access) Geographical dispersion: results to each LAN needing an administrator (LAN Administrator) Network/LAN administrators: Can report to the director of the IPF or may report to the end-user manager (still advisable to have dotted line to the director of IPF) Responsible for technical and administrative control over the LAN, which includes: - Ensuring that transmission links are functioning correctly - Backups of the system are occurring, and - Software/hardware purchases are authorized and installed properly Network/LAN administrators in smaller installations:

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue