Practical connection - Operations Security
CHAPTER 5
Information Security Policy Implementation Issues
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Describe issues related to information systems security (ISS) policy implementation and enforcement.
Human nature and motivation
Organizational structures
Policy implementation
Organizational hurdles to policy implementation
Impact of executive management support
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Human Nature in the Workplace
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Basic elements of motivation
Personality types of employees
Leadership, values, and ethics
Basic Elements of Motivation
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Pride
Self-interest
Success
Three Basic Elements of Motivation
FIGURE 5-1 Three basic elements of motivation.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Personality Types of Employees
People may be more than one personality type
Types blend, but one may emerge as dominant
Leverage strengths and weaknesses during implementation
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Commander
Demanding, forceful
Drifter
Laid back, lack discipline
Attacker
Angry, critical, egotistical
Pleaser
Kind, thoughtful, self-sacrificing
Performer
Witty, charming, focal point
Avoider
Dependable, consistent, avoid
extra work
Analytical
Disciplined, precise, detail-oriented
Achiever
Result-oriented
Leadership, Values, and Ethics
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Goals
Good leaders have clear vision and set goals
Training
Good leaders train their team to focus on goals and support each other’s work
Support
Good leaders accept failures. People will make mistakes. How a leader reacts to these mistakes sets a tone that can be healthy or destructive
Reward
Good leaders reward results, not personalities
Organizational Structures
Are chosen by management
Influence how security policies are put in place
Create complex relationships and personal dynamics between different leaders, layers of approvals, and core values
Reflect the relationship between teams (or departments), their responsibilities, and lines of authority
Clearly indicate who’s in charge and who reports to whom
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Typical Organizational Chart
FIGURE 5-2 Typical organizational chart.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
CISO Reporting Directly to CFO
FIGURE 5-3 CISO reporting directly to CFO.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
CISO Organizational Chart—CISO Role Appears Several Layers Deep
FIGURE 5-4 CISO organizational chart—CISO role appears several layers deep.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Flat Organizations
Limited number of layers between top and bottom employee ranks
Leaders are close to the workers that deliver products and services
Faster decision making
More confidence to innovate
Security policies are not abstract
Leaders responsible for product and services
Decentralized authorities
Span of control can become too wide
No time to bring every problem to management for resolution
Need high-caliber teams comfortable with independent decision making
May have problems with conflicting statements to regulators by the subordinate and senior leadership
When defining a security policy, must decide clearly how issues are to be identified, catalogued, debated, and escalated
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Hierarchical Organizations
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Disadvantages
Senior leaders are more detached from day-to-day operations
Messages from senior leaders have to be reinforced through all management layers
Lack of accountability
Communication breakdowns
Too many touchpoints and personalities must be engaged
Advantages
Hierarchy of specializations
Communication lines are more clearly defined
Depth of knowledge in a subject area tends to be greater
Matrix relationships can be complex
The Challenge of User Apathy
Apathy is indifference and lack of motivation
An employee who is apathetic often “goes through the motions”
This attitude results in poor performance and doing the minimum to get by
Overcoming the effects of apathy on security policies is a combination of the following:
Engaged communication
Ongoing awareness
Setting the right expectations
Creating some layers of redundancy
Recognize and reward compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The Importance of Executive Management Support
Implementing security policies starts with executive management
Implementing security policies creates a culture in which risk awareness takes work and resources
Executive management support is critical to the success of security policy implementation and acceptance throughout the organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Selling Information Security Policies to an Executive
Eight Missteps
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Unclear purpose
Doubt
Insufficient support from leadership
Organizational baggage
Lack of organizational incentives
Lack of candor
Low tolerance for bad news
Unmanageable complexity
Before, During, and After Policy Implementation (1 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Clarity of objectives What goals and benefits are to be achieved?
Things to do What exact tasks are to be performed and by whom?
Things to pay attention to How does the business know if it is successful?
Before, During, and After Policy Implementation (2 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Things to report What should be reported and when?
Roles and responsibilities Who’s responsible for what?
Things to be aware of Why is the security policy in place?
Things to reinforce with employees What is the messaging to the staff?
The Role of Human Resources Policies
Well-defined HR policies provide the framework that governs employee relations
HR policies:
State core business values and what is expected
Can prevent misunderstandings
Although HR policies must demonstrate commitment to secure business practices and clearly state values, they must be flexible and defensible in a court of law while meeting business objectives
Automated enforcement of security policies shows consistency and often leads to a higher compliance rate than manual controls
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Conceptual Relationship Between HR Policies and Security Policies
FIGURE 5-5 Conceptual relationship between HR policies and security policies.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Change Model—Basic Policy Implementation Approach
FIGURE 5-6 Basic policy implementation approach.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Roles and Accountabilities
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Information security officer (ISO)
Executive
Compliance officer
Data owner
Data manager
Data custodian
Data user
Auditor
Tying Security Policy to Performance and Accountability
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Number of security violations by employees reported
Number of incidents that could have been avoided
Completion and competency rate for security awareness
Summary
Human nature and motivation
Organizational structures
Policy implementation
Organizational hurdles to policy implementation
Impact of executive management support
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/10/2020
24
.MsftOfcThm_Accent5_lumMod_20_lumOff_80_Fill { fill:#BCFFF0; }
.MsftOfcThm_Accent5_lumMod_20_lumOff_80_Fill { fill:#BCFFF0; }