management and info security
1
ITC358 ICT Management and Information Security
Chapter 5
Developing the Security Program
We trained hard… but every time we formed up teams we would be reorganised. I was to learn
that we meet any new situation by reorganising. And a wonderful method it can be for creating the
illusion of progress while producing confusion, inefficiency, and demoralisation. – Petronius Arbiter, Roman Writer and Satirist, 210 B.C.
1
Objectives
Upon completion of this material you should be able to:
Explain the organisational approaches to information security
List and describe the functional components of an information security program
Determine how to plan and staff an organisation’s information security program based on its size
2
Objectives (cont’d.)
Upon completion of this material you should be able to: (cont’d.)
Evaluate the internal and external factors that influence the activities and organisation of an information security program
List and describe the typical job titles and functions performed in the information security program
3
Objectives (cont’d.)
Upon completion of this material you should be able to: (cont’d.)
Describe the components of a security education, training, and awareness program and explain how organisations create and manage these programs
4
Introduction
Some organisations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security
The term “information security program” is used here to describe the structure and organisation of the effort that contains risks to the information assets of the organisation
5
Organising for Security
Variables involved in structuring an information security program
Organisational culture
Size
Security personnel budget
Security capital budget
As organisations increase in size:
Their security departments are not keeping up with increasingly complex organisational infrastructures
6
Organising for Security (cont’d.)
Information security departments tend to form internal groups
To meet long-term challenges and handle day-to-day security operations
Functions are likely to be split into groups
Smaller organisations typically create fewer groups
Perhaps having only one general group of specialists
7
Organising for Security (cont’d.)
Very large organisations
More than 10,000 computers
Security budgets often grow faster than IT budgets
Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organisation
Small organisations spend more than $5,000 per user on security; very large organisations spend about 1/18th of that, roughly $300 per user
8
Organising for Security (cont’d.)
Very large organisations (cont’d.)
Does a better job in the policy and resource management areas
Only 1/3 of organisations handled incidents according to an IR plan
Large organisations
Have 1,000 to 10,000 computers
Security approach has often matured, integrating planning and policy into the organisation’s culture
9
Large organisations (cont’d.)
Do not always put large amounts of resources into security
Considering the vast numbers of computers and users often involved
They tend to spend proportionally less on security
Organising for Security (cont’d.)
10
Security in Large Organisations
One approach separates functions into four areas:
Functions performed by non-technology business units outside of IT
Functions performed by IT groups outside of information security area
Functions performed within information security department as customer service
Functions performed within the information security department as compliance
11
The CISO has responsibility for information security functions
Should be adequately performed somewhere within the organisation
The deployment of full-time security personnel depends on:
Sensitivity of the information to be protected
Industry regulations
General profitability
Security in Large Organisations (cont’d.)
12
The more money the company can dedicate to its personnel budget
The more likely it is to maintain a large information security staff
Security in Large Organisations (cont’d.)
13
Security in Large Organisations (cont’d.)
Figure 5-1 Example of information security staffing in a large organisation
14
Security in Large Organisations (cont’d.)
Figure 5-2 Example of information security staffing in a very large organisation
15
Security in Medium-Sized Organisations
Medium-sized organisations
Have between 100 and 1000 computers
Have a smaller total budget
Have same sized security staff as the small organisation, but a larger need
Must rely on help from IT staff for plans and practices
Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size
16
Security in Medium-Sized Organisations (cont’d.)
Medium-sized organisations (cont’d.)
May be large enough to implement a multi-tiered approach to security
With fewer dedicated groups and more functions assigned to each group
Tend to ignore some security functions
17
Security in Medium-Sized Organisations (cont’d.)
Figure 5-3 Example of information security staffing in a medium-sized organisation
18
Security in Small Organisations
Small organisations
Have between 10 and 100 computers
Have a simple, centralised IT organisational model
Spend disproportionately more on security
Information security is often the responsibility of a single security administrator
Have little in the way of formal policy, planning, or security measures
19
Security in Small Organisations (cont’d.)
Small organisations (cont’d.)
Commonly outsource their Web presence or electronic commerce operations
Security training and awareness is commonly conducted on a 1-on-1 basis
Policies (when they exist) are often issue-specific
Formal planning is often part of IT planning
Threats from insiders are less likely
Every employee knows every other employee
20
Security in Small Organisations (cont’d.)
Figure 5-4 Example of information security staffing in a smaller organisation
Source: Course Technology/Cengage Learning
21
Placing Information Security Within An Organisation
In large organisations
InfoSec is often located within the information technology department
Headed by the CISO who reports directly to the top computing executive, or CIO
An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole
22
Placing Information Security Within An Organisation (cont’d.)
Because the goals and objectives of the CIO and the CISO may come in conflict
It is not difficult to understand the current movement to separate information security from the IT division
The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest
23
Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-5 Wood’s Option 1: Information security reports to information technology department
24
Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department
25
Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department
26
Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department
27
Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department
28
Placing Information Security Within an Organisation (cont’d.)
Other options
Option 6: Legal
Option 7: Internal audit
Option 8: Help desk
Option 9: Accounting and finance through IT
Option 10: Human resources
Option 11: Facilities management
Option 12: Operations
29
Components of the Security Program
Organisation’s information security needs
Unique to the culture, size, and budget of the organisation
Determining what level the information security program operates on depends on the organisation’s strategic plan
Also the plan’s vision and mission statements
The CIO and CISO should use these two documents to formulate the mission statement for the information security program
30
Information Security Roles and Titles
Types of information security positions
Those that define
Provide the policies, guidelines, and standards
Do the consulting and the risk assessment
Develop the product and technical architectures
Senior people with a lot of broad knowledge, but often not a lot of depth
Those that build
The real “techies” who create and install security solutions
31
Information Security Roles and Titles (cont’d.)
Types of information security positions (cont’d.)
Those that administer
Operate and administer the security tools and the security monitoring function
Continuously improve the processes
A typical organisation has a number of individuals with information security responsibilities
32
While the titles used may be different, most of the job functions fit into one of the following:
Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
Security managers
Security administrators and analysts
Security technicians
Security staff
Information Security Roles and Titles (cont’d.)
33
Information Security Roles and Titles (cont’d.)
Figure 5-10 Information security roles
Source: Course Technology/Cengage Learning
34
Help Desk Personnel
Help desk
An important part of the information security team
Enhances the security team’s ability to identify potential problems
When a user calls the help desk with a complaint , the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus
35
Help Desk Personnel (cont’d.)
Help desk (cont’d.)
Because help desk technicians perform a specialised role in information security, they have a need for specialised training
36
Implementing Security Education, Training, and Awareness Programs
SETA program
Designed to reduce accidental security breaches
Consists of three elements: security education, security training, and security awareness
Awareness, training, and education programs offer two major benefits:
Improving employee behavior
Enabling the organisation to hold employees accountable for their actions
37
Implementing SETA Programs (cont’d.)
Purpose of SETA is to enhance security:
By building in-depth knowledge, to design, implement, or operate security programs for organisations and systems
By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely
By improving awareness of the need to protect system resources
38
Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.
Implementing SETA Programs (cont’d.)
Table 5-3 Framework of security education, training and awareness
39
Security Education
Employees within information security may be encouraged to seek a formal education
If not prepared by their background or experience
A number of institutions of higher learning, including colleges and universities, provide formal coursework in information security
40
Security Education (cont’d.)
A knowledge map
Can help potential students assess information security programs
Identifies the skills and knowledge clusters obtained by the program’s graduates
Creating the map can be difficult because many academics are unaware of the numerous subdisciplines within the field of information security
Each of which may have different knowledge requirements
41
Source: Course Technology/Cengage Learning
Figure 5-11 Information security knowledge map
Security Education (cont’d.)
42
Depth of knowledge
Indicated by a level of mastery using an established taxonomy of learning objectives or a simple scale such as “understanding → accomplishment → proficiency → mastery.”
Because many institutions have no frame of reference for which skills and knowledge are required for a particular job area
They may refer to the certifications offered in that field
Security Education (cont’d.)
43
Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains
From which individual courses can be created
Course design
Should enable a student to obtain the required knowledge and skills upon completion of the program
Identify the prerequisite knowledge for each class
Security Education (cont’d.)
44
Source: Course Technology/Cengage Learning
Figure 5-12 Technical course progression
Security Education (cont’d.)
45
Security Training
Involves providing detailed information and hands-on instruction
To develop user skills to perform their duties securely
Management can either develop customised training or outsource
46
Security Training (cont’d.)
Customising training for users
By functional background
General user
Managerial user
Technical user
By skill level
Novice
Intermediate
Advanced
47
Training Techniques
Using the wrong method
Can hinder the transfer of knowledge
Leading to unnecessary expense and frustrated, poorly trained employees
Good training programs
Take advantage of the latest learning technologies and best practices
48
Training Techniques (cont’d.)
Recent developments
Less use of centralised public courses and more on-site training
Training is often for one or a few individuals
Waiting until there is a large-enough group for a class can cost companies lost productivity
Other best practices
Increased use of short, task-oriented modules
Available during the normal work week
49
Training Techniques (cont’d.)
Selection of the training delivery method
Not always based on the best outcome for the trainee
Often overriden by budget, scheduling, and needs of the organisation
Types of delivery methods
One-on-one
Formal class
Computer-based training (CBT)
50
Training Techniques (cont’d.)
Types of delivery methods (cont’d.)
Distance learning/web seminars
User support group
On-the-job training
Self-study (non-computerised)
51
Training methods
Use a local training program
Use a continuing education department
Use another external training agency
Hire a professional trainer, a consultant, or someone from an accredited institution to conduct on-site training
Organise and conduct training in-house using organisation’s own employees
Training Techniques (cont’d.)
52
Implementing Training
Seven-step methodology generally applies:
Step 1: Identify program scope, goals, and objectives
Step 2: Identify training staff
Step 3: Identify target audiences
Step 4: Motivate management and employees
Step 5: Administer the program
Step 6: Maintain the program
Step 7: Evaluate the program
53
Security Awareness
One of the least frequently implemented, but most effective security methods is the security awareness program
Security awareness programs:
Set the stage for training by changing organisational attitudes to realise the importance of security and the adverse consequences of its failure
Remind users of the procedures to be followed
54
Security Awareness (cont’d.)
Best practices
Focus on people
Refrain from using technical jargon
Use every available venue
Define learning objectives, state them clearly, and provide sufficient detail and coverage
Keep things light
Don’t overload the users
Help users understand their roles in InfoSec
55
Security Awareness (cont’d.)
Best practices (cont’d.)
Take advantage of in-house communications media
Make the awareness program formal
Plan and document all actions
Provide good information early, rather than perfect information late
56
The ten commandments of information security awareness training
Information security is a people, rather than a technical, issue
If you want them to understand, speak their language
If they cannot see it, they will not learn it
Make your point so that you can identify it and so can they.
Never lose your sense of humor
Security Awareness (cont’d.)
57
The ten commandments of information security awareness training (cont’d.)
Make your point, support it, and conclude it
Always let the recipients know how the behaviour that you request will affect them
Ride the tame horses
Formalise your training methodology
Always be timely, even if it means slipping schedules to include urgent information
Security Awareness (cont’d.)
58
Security awareness and security training are designed to modify any employee behaviour that endangers the security of the organisation’s information
Security training and awareness activities can be undermined if management does not set a good example
Security Awareness (cont’d.)
59
Effective training and awareness programs make employees accountable for their actions
Dissemination and enforcement of policy become easier when training and awareness programs are in place
Demonstrating due care and due diligence can help indemnify the institution against lawsuits
Security Awareness (cont’d.)
60
Awareness can take on different forms for particular audiences
A security awareness program can use many methods to deliver its message
Recognise that people tend to practice a tuning out process (acclimation)
Awareness techniques should be creative and frequently changed
Security Awareness (cont’d.)
61
Security Awareness (cont’d.)
Many security awareness components are available at little or no cost
Others can be very expensive
Examples of security awareness components
Videos
Posters and banners
Lectures and conferences
Computer-based training
62
Security Awareness (cont’d.)
Examples of security awareness components (cont’d.)
Newsletters
Brochures and flyers
Trinkets (coffee cups, pens, pencils, T-shirts)
Bulletin boards
63
Security newsletter
A cost-effective way to disseminate security information
Newsletters can be in the form of hard copy, e-mail, or intranet
Topics can include threats to the organisation’s information assets, schedules for upcoming security classes, and the addition of new security personnel
Security Awareness (cont’d.)
64
Security newsletter (cont’d.)
The goal is to keep the idea of information security uppermost in users’ minds and to stimulate them to care about security
Newsletters might include:
Summaries of key policies
Summaries of key news articles
A calendar of security events, including training sessions, presentations, and other activities
Announcements relevant to information security
How-to’s
Security Awareness (cont’d.)
65
Security Awareness (cont’d.)
Figure 5-13 SETA awareness components: Newsletters
66
Security poster series
A simple and inexpensive way to keep security on people’s minds
Professional posters can be quite expensive, so in-house development may be the best solution
Keys to a good poster series:
Varying the content and keeping posters updated
Keeping them simple, but visually interesting
Making the message clear
Providing information on reporting violations
Security Awareness (cont’d.)
67
Security Awareness (cont’d.)
Figure 5-14 SETA awareness components: Posters
Source: Course Technology/Cengage Learning
68
Security Awareness (cont’d.)
Trinket programs
Inexpensive on a per-unit basis
They can be expensive to distribute
Types of trinkets
Pens and pencils, mouse pads
Coffee mugs, plastic cups
Hats, T-shirts
The messages trinket programs impart will be lost unless reinforced by other means
69
Security Awareness (cont’d.)
Figure 5-15 SETA awareness components: Trinkets
Source: Course Technology/Cengage Learning
70
Security Awareness (cont’d.)
Organisations can establish Web pages or sites dedicated to promoting information security awareness
The challenge lies in updating the messages frequently enough to keep them fresh
Tips on creating and maintaining an educational Web site
See what’s already out there
Plan ahead
71
Security Awareness (cont’d.)
Tips on creating and maintaining an educational Web site (cont’d.)
Keep page loading time to a minimum
Seek feedback
Assume nothing and check everything
Spend time promoting your site
72
Security awareness conference
Have a guest speaker or even a mini-conference dedicated to the topic
Perhaps in association with the semi-annual National Computer Security Days: October 31 and April 4
Security Awareness (cont’d.)
73
Summary
Introduction
Organising for security
Placing information security within an organisation
Components of the security program
Information security roles and titles
Implementing security education, training, and awareness programs
74