Practical connection - Operations Security

profileColin Horn
9781284199840_SLID_CH05.pptx

CHAPTER 5

Information Security Policy Implementation Issues

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe issues related to information systems security (ISS) policy implementation and enforcement.

Human nature and motivation

Organizational structures

Policy implementation

Organizational hurdles to policy implementation

Impact of executive management support

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Human Nature in the Workplace

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Basic elements of motivation

Personality types of employees

Leadership, values, and ethics

Basic Elements of Motivation

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Pride

Self-interest

Success

Three Basic Elements of Motivation

FIGURE 5-1 Three basic elements of motivation.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Personality Types of Employees

People may be more than one personality type

Types blend, but one may emerge as dominant

Leverage strengths and weaknesses during implementation

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Commander

Demanding, forceful

Drifter

Laid back, lack discipline

Attacker

Angry, critical, egotistical

Pleaser

Kind, thoughtful, self-sacrificing

Performer

Witty, charming, focal point

Avoider

Dependable, consistent, avoid

extra work

Analytical

Disciplined, precise, detail-oriented

Achiever

Result-oriented

Leadership, Values, and Ethics

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Goals

Good leaders have clear vision and set goals

Training

Good leaders train their team to focus on goals and support each other’s work

Support

Good leaders accept failures. People will make mistakes. How a leader reacts to these mistakes sets a tone that can be healthy or destructive

Reward

Good leaders reward results, not personalities

Organizational Structures

Are chosen by management

Influence how security policies are put in place

Create complex relationships and personal dynamics between different leaders, layers of approvals, and core values

Reflect the relationship between teams (or departments), their responsibilities, and lines of authority

Clearly indicate who’s in charge and who reports to whom

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Typical Organizational Chart

FIGURE 5-2 Typical organizational chart.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

CISO Reporting Directly to CFO

FIGURE 5-3 CISO reporting directly to CFO.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

CISO Organizational Chart—CISO Role Appears Several Layers Deep

FIGURE 5-4 CISO organizational chart—CISO role appears several layers deep.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Flat Organizations

Limited number of layers between top and bottom employee ranks

Leaders are close to the workers that deliver products and services

Faster decision making

More confidence to innovate

Security policies are not abstract

Leaders responsible for product and services

Decentralized authorities

Span of control can become too wide

No time to bring every problem to management for resolution

Need high-caliber teams comfortable with independent decision making

May have problems with conflicting statements to regulators by the subordinate and senior leadership

When defining a security policy, must decide clearly how issues are to be identified, catalogued, debated, and escalated

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Hierarchical Organizations

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Disadvantages

Senior leaders are more detached from day-to-day operations

Messages from senior leaders have to be reinforced through all management layers

Lack of accountability

Communication breakdowns

Too many touchpoints and personalities must be engaged

Advantages

Hierarchy of specializations

Communication lines are more clearly defined

Depth of knowledge in a subject area tends to be greater

Matrix relationships can be complex

The Challenge of User Apathy

Apathy is indifference and lack of motivation

An employee who is apathetic often “goes through the motions”

This attitude results in poor performance and doing the minimum to get by

Overcoming the effects of apathy on security policies is a combination of the following:

Engaged communication

Ongoing awareness

Setting the right expectations

Creating some layers of redundancy

Recognize and reward compliance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

The Importance of Executive Management Support

Implementing security policies starts with executive management

Implementing security policies creates a culture in which risk awareness takes work and resources

Executive management support is critical to the success of security policy implementation and acceptance throughout the organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Selling Information Security Policies to an Executive

Eight Missteps

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Unclear purpose

Doubt

Insufficient support from leadership

Organizational baggage

Lack of organizational incentives

Lack of candor

Low tolerance for bad news

Unmanageable complexity

Before, During, and After Policy Implementation (1 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Clarity of objectives What goals and benefits are to be achieved?

Things to do What exact tasks are to be performed and by whom?

Things to pay attention to How does the business know if it is successful?

Before, During, and After Policy Implementation (2 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Things to report What should be reported and when?

Roles and responsibilities Who’s responsible for what?

Things to be aware of Why is the security policy in place?

Things to reinforce with employees What is the messaging to the staff?

The Role of Human Resources Policies

Well-defined HR policies provide the framework that governs employee relations

HR policies:

State core business values and what is expected

Can prevent misunderstandings

Although HR policies must demonstrate commitment to secure business practices and clearly state values, they must be flexible and defensible in a court of law while meeting business objectives

Automated enforcement of security policies shows consistency and often leads to a higher compliance rate than manual controls

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Conceptual Relationship Between HR Policies and Security Policies

FIGURE 5-5 Conceptual relationship between HR policies and security policies.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Change Model—Basic Policy Implementation Approach

FIGURE 5-6 Basic policy implementation approach.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Roles and Accountabilities

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Information security officer (ISO)

Executive

Compliance officer

Data owner

Data manager

Data custodian

Data user

Auditor

Tying Security Policy to Performance and Accountability

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Number of security violations by employees reported

Number of incidents that could have been avoided

Completion and competency rate for security awareness

Summary

Human nature and motivation

Organizational structures

Policy implementation

Organizational hurdles to policy implementation

Impact of executive management support

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/10/2020

24

.MsftOfcThm_Accent5_lumMod_20_lumOff_80_Fill { fill:#BCFFF0; }

.MsftOfcThm_Accent5_lumMod_20_lumOff_80_Fill { fill:#BCFFF0; }