management and info security

biratpant

chapter1.pptx

Home >Information Systems homework help >management and info security

ITC358 ICT Management and Information Security

Chapter 1

Introduction to the Management of Information Security

If this is the information superhighway, it’s going through

a lot of bad, bad neighborhoods. – Dorian Berger

Objectives

Upon completion of this material, you should be able to:

Describe the importance of the manager’s role in securing an organisation’s use of information technology, and understand who is responsible for protecting an organisation’s information assets

Enumerate and discuss the key characteristics of information security

Enumerate and define the key characteristics of leadership and management

Differentiate information security management from general management

Introduction

Information technology

The vehicle that stores and transports information from one business unit to another

The vehicle can break down

The concept of computer security has been replaced by the concept of information security

Covers a broad range of issues

From protection of data to protection of human resources

Information security is no longer the sole responsibility of a discrete group of people in the company

It is the responsibility of every employee, especially managers

Introduction (cont’d.)

Information security decisions should involve three distinct groups of decision makers (communities of interest)

Information security managers and professionals

Information technology managers and professionals

Non-technical business managers and professionals

Introduction (cont’d.)

InfoSec community

Protects the organisation’s information assets from the threats they face.

IT community

Supports the business objectives of the organisation by supplying and supporting information technology appropriate to the business needs

Non-technical general business community

Articulates and communicates organisational policy and objectives and allocates resources to the other groups

What Is Security?

Definitions

Security is defined as “the quality or state of being secure— to be free from danger”

Security is often achieved by means of several strategies undertaken simultaneously or used in combination with one another

Specialised areas of security

Physical security, operations security, communications security, and network security

What Is Security? (cont’d.)

Information security

The protection of information and its critical elements (confidentiality, integrity and availability), including the systems and hardware that use, store, and transmit that information

Through the application of policy, technology, and training and awareness programs

Policy, training and awareness programs and technology are vital concepts

CNSS Security Model

Figure 1-1 Components of Information security

Source: Course Technology/Cengage Learning

CNSS Security Model (cont’d.)

C.I.A. triangle

Confidentiality, integrity, and availability

Has expanded into a more comprehensive list of critical characteristics of information

NSTISSC (CNSS) Security Model

Also known as the McCumber Cube

Provides a more detailed perspective on security

Covers the three dimensions of information security

CNSS Security Model (cont’d.)

NSTISSC Security Model (cont’d.)

Omits discussion of detailed guidelines and policies that direct the implementation of controls

Weakness of this model emerges if viewed from a single perspective

Need to include all three communities of interest

CNSS Security Model (cont’d.)

Figure 1-2 CNSS security Model

Source: Course Technology/Cengage Learning (adapted from NSTISSI No. 4011)

Key Concepts of Information Security

Confidentiality

The characteristic of information whereby only those with sufficient privileges may access certain information

Measures used to protect confidentiality

Information classification

Secure document storage

Application of general security policies

Education of information custodians and end users

Key Concepts of Information Security (cont’d.)

Integrity

The quality or state of being whole, complete, and uncorrupted

Information integrity is threatened

If exposed to corruption, damage, destruction, or other disruption of its authentic state

Corruption can occur while information is being compiled, stored, or transmitted

Key Concepts of Information Security (cont’d.)

Availability

The characteristic of information that enables user access to information in a required format, without interference or obstruction

A user in this definition may be either a person or another computer system

Availability does not imply that the information is accessible to any user

Implies availability to authorised users

Key Concepts of Information Security (cont’d.)

Privacy

Information collected, used, and stored by an organisation is to be used only for the purposes stated to the data owner at the time it was collected

Privacy as a characteristic of information does not signify freedom from observation

Means that information will be used only in ways known to the person providing it

Key Concepts of Information Security (cont’d.)

Identification

An information system possesses the characteristic of identification when it is able to recognise individual users

Identification and authentication are essential to establishing the level of access or authorisation that an individual is granted

Authentication

Occurs when a control proves that a user possesses the identity that he or she claims

Key Concepts of Information Security (cont’d.)

Authorisation

Assures that the user has been specifically and explicitly authorised by the proper authority to access, update, or delete the contents of an information asset

User may be a person or a computer

Authorisation occurs after authentication

Key Concepts of Information Security (cont’d.)

Accountability

Exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process

What Is Management?

The process of achieving objectives using a given set of resources

Manager

Someone who works with and through other people by coordinating their work activities in order to accomplish organisational goals

What is Management? (cont’d.)

Managerial roles

Informational role

Collecting, processing, and using information that can affect the completion of the objective

Interpersonal role

Interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task

Decisional role

Selecting from among alternative approaches, and resolving conflicts, dilemmas, or challenges

What is Management? (cont’d.)

Leaders

Influence employees to accomplish objectives

Lead by example; demonstrating personal traits that instill a desire in others to follow

Provide purpose, direction, and motivation to those that follow

Managers

Administers the resources of the organisation

Creates budgets, authorises expenditures and hires employees

Behavioural Types of Leaders

Three basic behavioral types of leaders

Autocratic

Democratic

Laissez-faire

Management Characteristics

Two basic approaches to management

Traditional management theory

Uses the core principles of planning, organising, staffing, directing, and controlling (POSDC)

Popular management theory

Categorises the principles of management into planning, organising, leading, and controlling (POLC)

Management Characteristics (cont’d.)

Source: Course Technology/Cengage Learning (adapted from Jourdan, 2003)

Figure 1-3 The planning-controlling link

Management Characteristics (cont’d.)

Planning

The process that develops, creates, and implements strategies for the accomplishment of objectives

Three levels of planning

Strategic, tactical, and operational

Planning process begins with the creation of strategic plans for the entire organisation

Management Characteristics (cont’d.)

An organisation must thoroughly define its goals and objectives

Goals are the end results of the planning process

Objectives are intermediate points that allow you to measure progress toward the goal

Management Characteristics (cont’d.)

Organising

The management function dedicated to the structuring of resources to support the accomplishment of objectives

Requires determining what is to be done, in what order, by whom, by which methods, and according to what timeline

Management Characteristics (cont’d.)

Leading

Leadership encourages the implementation of the planning and organising functions

Includes supervising employee behavior, performance, attendance, and attitude

Leadership generally addresses the direction and motivation of the human resource

Management Characteristics (cont’d.)

Controlling

Monitoring progress toward completion

Making necessary adjustments to achieve the desired objectives

The control function serves to assure the organisation of the validity of the plan

Determines what must be monitored as well as applies specific control tools to gather and evaluate information

Management Characteristics (cont’d.)

Figure 1-4 The control process

Source: Course Technology/Cengage Learning

Solving Problems

Step 1: Recognise and define the problem

Step 2: Gather facts and make assumptions

Step 3: Develop possible solutions

Step 4: Analyse and compare possible solutions

Step 5: Select, implement, and evaluate a solution

Principles of Information Security Management

The extended characteristics of information security are known as the six P’s

Planning

Policy

Programs

Protection

People

Project Management

Planning

Planning as part of InfoSec management

An extension of the basic planning model discussed earlier in this chapter

Included in the InfoSec planning model

Activities necessary to support the design, creation, and implementation of information security strategies

Planning (cont’d.)

Types of InfoSec plans

Incident response planning

Business continuity planning

Disaster recovery planning

Policy planning

Personnel planning

Technology rollout planning

Risk management planning

Security program planning

includes education, training and awareness

Policy

The set of organisational guidelines that dictates certain behavior within the organisation

Three general categories of policy

Enterprise information security policy (EISP)

Issue-specific security policy (ISSP)

System-specific policies (SysSPs)

Programs

InfoSec operations that are specifically managed as separate entities

Example: a security education training and awareness (SETA) program

Other types of programs

Physical security program

complete with fire, physical access, gates, guards, etc.

Protection

Executed through risk management activities

Including risk assessment and control, protection mechanisms, technologies, and tools

Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan

People

The most critical link in the information security program

Managers must recognise the crucial role that people play in the information security program

This area of InfoSec includes security personnel and the security of personnel, as well as aspects of a SETA program

Project Management

Project management

Identifying and controlling the resources applied to the project

Measuring progress

Adjusting the process as progress is made

Project Management (cont’d.)

Information security is a process, not a project

Each element of an information security program must be managed as a project

A continuous series, or chain, of projects

Some aspects of information security are not project based

They are managed processes (operations)

Project Management (cont’d.)

Figure 1-4 The information security program chain

Source: Course Technology/Cengage Learning

Project Management (cont’d.)

Project Management

The application of knowledge, skills, tools, and techniques to project activities to meet project requirements

Accomplished through the use of processes

Such as initiating, planning, executing, controlling, and closing

Involves the temporary assemblage resources to complete a project

Some projects are iterative, occurring regularly

Applying Project Management to Security

First identify an established project management methodology

PMBoK is considered the industry best practice

Other project management practices exist

Project Management Body of Knowledge

Table 1-1 Project management knowledge areas

Source: Course Technology/Cengage Learning

PMBoK Knowledge Areas

Project integration management

Includes the processes required to coordinate occurs between components of a project

Elements of a project management effort that require integration

The development of the initial project plan

Monitoring of progress during plan execution

Control of plan revisions

Control of the changes made to resource allocations

As measured performance causes adjustments to the project plan

PMBoK Knowledge Areas (cont’d.)

Project plan development

The process of integrating all of the project elements into a cohesive plan

Goal is to complete the project within the allotted work time using no more than the allotted project resources

Core components of project plan

Work time, resources, and project deliverables

Changing one element affects the other two

Likely requires revision of the plan

PMBoK Knowledge Areas (cont’d.)

Figure 1-7 Project plan inputs

Source: Course Technology/Cengage Learning

PMBoK Knowledge Areas (cont’d.)

When integrating the disparate elements of a complex information security project, complications are likely to arise

Conflicts among communities of interest

Far-reaching impact

Resistance to new technology

PMBoK Knowledge Areas (cont’d.)

Project scope management

Ensures that project plan includes only those activities necessary to complete it

Scope

The quantity or quality of project deliverables

Major processes

Initiation, scope planning, definition, verification and change control

PMBoK Knowledge Areas (cont’d.)

Project time management

Ensures that project is finished by identified completion date while meeting objectives

Failure to meet project deadlines is among most frequently cited failures in project management

Many missed deadlines are caused by poor planning

PMBoK Knowledge Areas (cont’d.)

Project time management includes the following processes

Activity definition

Activity sequencing

Activity duration estimating

Schedule development

Schedule control

PMBoK Knowledge Areas (cont’d.)

Project cost management

Ensures that a project is completed within the resource constraints

Some projects are planned using only a financial budget

From which all resources must be procured

Includes resource planning, cost estimating, cost budgeting, and cost control

PMBoK Knowledge Areas (cont’d.)

Project quality management

Ensures project meets project specifications

Quality objective met

When deliverables meet requirements specified in project plan

A good plan defines project deliverables in unambiguous terms

For easy comparison against actual results

Includes quality planning, quality assurance and quality control

PMBoK Knowledge Areas (cont’d.)

Project human resource management

Ensures personnel assigned to project are effectively employed

Staffing a project requires careful estimates of effort required

Unique complexities

Extended clearances

Deploying technology new to the organisation

Includes organisational planning, staff acquisition and team development

PMBoK Knowledge Areas (cont’d.)

Project communications management

Conveys details of project activities to all involved

Includes the creation, distribution, classification, storage, and destruction of documents, messages, and other associated project information

Includes communications planning, information distribution, performance reporting and administrative closure

PMBoK Knowledge Areas (cont’d.)

Project risk management

Assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project

Information security projects have unique risks

Includes risk identification, risk quantification, risk response development and risk response control

PMBoK Knowledge Areas (cont’d.)

Project procurement

Acquiring needed project resources

Project managers may simply requisition resources from organisation, or may have to purchase

Includes procurement planning, solicitation planning, solicitation, source selection, contract administration and contract closeout

Project Management Tools

Many tools exist

Most project managers combine software tools that implement one or more of the dominant modeling approaches

Project management certification

The Project Management Institute (PMI)

Leading global professional association

Sponsors two certificate programs: The Project Management Professional (PMP) and Certified Associate in Project Management (CAPM)

Project Management Tools (cont’d.)

Projectitis

Occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work

Precursor to projectitis

Developing an overly elegant, microscopically detailed plan before gaining consensus for the work required

Work Breakdown Structure

Work breakdown structure (WBS)

Simple planning tool for creating a project plan

The project plan is first broken down into a few major tasks

Each task is placed on the WBS task list

Work Breakdown Structure (cont’d.)

Determine minimum attributes for each task

The work to be accomplished (activities and deliverables)

Estimated amount of effort required for completion in hours or workdays

The common or specialty skills needed to perform the task

Task interdependencies

Work Breakdown Structure (cont’d.)

As the project plan develops, additional attributes can be added

Estimated capital and noncapital expenses for the task

Task assignment according to specific skills

Start and end dates

Work to be accomplished

Amount of effort

Task dependencies

Start and ending dates

Work Breakdown Structure (cont’d.)

Work phase

Phase in which the project deliverables are prepared

Occurs after the project manager has completed the WBS

Table 1-2 Early draft work breakdown structure

Source: Course Technology/Cengage Learning

Work Breakdown Structure (cont’d.)

Table 1-3 Later draft work breakdown structure

Source: Course Technology/Cengage Learning

Task-Sequencing Approaches

Many possibilities for task assignment and scheduling

For modest and large size projects

A number of approaches can assist the project manager in this sequencing effort

Network scheduling

Refers to the web of possible pathways to project completion

Figure 1-8 Simple network dependency

Source: Course Technology/Cengage Learning

Task Sequencing Approaches (cont’d.)

Figure 1-9 Complex network dependency

Source: Course Technology/Cengage Learning

Task Sequencing Approaches (cont’d.)

Program Evaluation and Review Technique (PERT)