Assignment

Chapter6SecurityOrganizationIM.pptx

Home >Computer Science homework help >Assignment

Chapter 6

Security Organization

Introduction

Every business needs a risk management approach that is headed by a top level executive in the organization who is dedicated to risk management and information security. Security can no longer be left in the hands of the technologists. It must be acknowledged, considered, embraced, and championed at the highest levels of the organization—in other words, it must be aligned to the business objectives of the organization to maintain or improve its value.

The organization requires executive-level representation in the business, because the management of risks related to information security is ultimately the responsibility of senior management. Whether the business is regulated or not, the top executives are on the hook for any consequences that occur due to failure of security controls.

Regardless of the specific functions within the security organization, the definition of who does what should be well defined in an org chart with clear responsibilities assigned to each individual, so security can be properly managed.

Security Organization

Chief Security Risk Officer (CSRO) or Chief Information Security Officer (CISO)

Responsible for risk management.

All organizations need an executive decision-maker who is responsible for security risk

Accountable for all security efforts

Oversees all aspects of risk management

Oversees the information security function

CSRO / CISO Responsibilities

Ensure the business has risk management skills in its human capital.

Establish an organizational structure that supports a risk management strategy.

Implement an integrated risk management framework.

Define the business’s risk appetite in terms of loss tolerance.

Ensure the business can absorb the risk in terms of human and financial resources.

Establish risk assessment, management, response, mitigation, and audit procedures.

Influence the business’s risk culture and provide organizational learning opportunities.

Security Director

Works with the executive team to accomplish business goals

Requires expert communication, negotiation, and leadership skills, as well as technical knowledge of IT and security hardware

Experienced in information security decision-making.

Oversees and coordinates security efforts across the business, including IT, HR, Communications, Legal, Facilities, and other departments

Security Director Responsibilities

Coordinates the security-related strategic and visionary goals of the business

Oversees security management and vendors who safeguard the business’s assets, intellectual property, and computer systems, as well as the physical safety of employees and visitors

Identifies protection goals and objectives consistent with corporate strategic plans

Manages the development and implementation of global security policy (rules), standards (minimum requirements), guidelines (recommendations), and procedures (step-by-step instructions) to ensure ongoing maintenance of security

Maintains relationships with local, state, and federal law enforcement and other related government agencies

Oversees the investigation of security breaches and assists with disciplinary and legal matters associated with such breaches as necessary

Works with outside consultants as appropriate for independent security audits

Participates in the business’s change management process at the organizational and strategic level

Is fluent with the various aspects of the risk management framework

Security Manager

Day-to-day responsibility for all security-related activities and incidents

All operational security positions report to this position

Responsible for management and distribution of the security policy, policy adherence and coordination, and security incident coordination

Security Manager Responsibilities

Develops and maintains a comprehensive security program

Develops and maintains a business resumption plan for information resources

Approves access and formally assigns custody of the information resources

Ensures compliance with security controls

Plans for contingencies and disaster recovery

Ensures that adequate technical support is provided to define and select cost-effective security controls

Security Architect

Responsibility for the security architecture, including conducting product testing and keeping track of new bugs and security vulnerabilities as they arise

Produces a detailed security architecture for the network based on identified requirements, and uses this architecture specification to drive efforts toward implementation

Security Architect Responsibilities

Identifies threats and vulnerabilities

Identifies risks to information resources through risk analysis

Identifies critical and sensitive information resources

Works with the data owner to assess and classify information

Works with technical management to specify cost-effective security controls and convey security control requirements to users and custodians

Assists the security manager in evaluating the cost-effectiveness of controls

Security Engineer

Technically implements the architect’s designs

Works directly with the architect on design decisions and with the administrator on device management decisions

Security Engineer Responsibilities

Installation and configuration of networks and network devices such as web application firewalls, network firewalls, switches, load balancers, and routers

Security configuration of Unix, Linux, or Windows servers

Security configuration of applications and databases

Installation, configuration, and design of security tools, including development and coding

Security incident investigation, including network packet capture

Maintenance and monitoring of network and host intrusion detection and prevention technologies

Security Administrator

Implements security on a day-to-day, operational/tactical basis at the facility

Executes all actions directed by the security architect, security engineer, security manager, or as required by security policy or incident response procedures

Ensures that security requirements are met and maintained on all computers, networks, and network technologies, including patch management and operating system upgrades

Often the first person contacted whenever there is a suspected or known security problem

Operational/tactical responsibility for ensuring that the business, its reputation, and its assets are protected and has the authority to take any and all action necessary to accomplish this goal

Security Administrator Responsibilities

Implements the security controls specified by the security architect, security engineer, and security manager

Implements physical and procedural safeguards for information resources within the facility

Administers access to the information resources and makes provisions for timely detection, reporting, and analysis of actual and attempted unauthorized access to information resources

Provides assistance to the individuals responsible for information security

Assists with acquisition of security hardware/software

Assists with identification of vulnerabilities and other data-gathering activities and log file analysis

Develops and maintains access control rules

Maintains user lists, passwords, encryption keys, and other authentication and security-related information and databases

Develops and follows procedures for reporting on monitored controls

Security Analyst

Supports the security architect, security engineer, security administrator, and security management in analyzing and producing reports required for the assessment and smooth functioning of security operations

Security Analyst Responsibilities

Monitors alerts and reports generated by security systems

Reviews log files as generated by security devices and servers, making note of anomalies

Compiles reports as required by management or as specified by security policy

Maintains security metrics

Collaborates with security organization team members to assess and analyze security operations and suggests improvement

Manages quality control and change management initiatives for the security organization

Maintains security policy documentation and ensures that necessary changes are incorporated as directed by the architect or management

Security Investigator

Responsible for Legal, HR, and internal investigations into security incidents, breaches, attacks, and violations

Often works closely with law enforcement agencies as needed

Technical expertise as well as evidence handling and forensic procedures

Security Investigator Responsibilities

Responds to requests from HR, Legal, and other internal departments to investigate incidents

Coordinates with outside attorneys or law enforcement representatives

Collects and preserves evidence from computer systems

Performs e-discovery and forensic searches for keywords and patterns

Produces detailed reports on investigations

Provides information to the HR and Legal departments for action

Maintains strict secrecy about ongoing investigations

Security Awareness Trainer

Develops and delivers security awareness training to the business based on corporate security policy, standards, procedures, and guidelines.

Background in security as well as in education and training

Coordinates and collaborates with the security department subject matter experts to ensure that the training is both comprehensive and accurate

Facility Security Officer

Enforces physical security policy at each building location

Authority to take action without the approval of the management at the facility when required to ensure physical security

Reviews physical security reports such as facility access records

Coordinates activities related to security incidents at the facility

Application Security

Knowledgeable about the programming languages

Trained in security programming techniques

Provides guidance and training to programmers on how to write secure code

Reviews code produced by the programmers for security vulnerabilities and flaws

Business Continuity and Disaster Recovery Planning

Business continuity planning (BCP)

Disaster recovery (DR) planning and testing

Non-security Jobs with Security Responsibilities

System and network administrators

Data owners

Data custodians

Security Incident Response Team

Individuals from various parts of the business are brought together to handle emergencies.

They join the team apart from their daily responsibilities in order to prepare, practice, and drill for potential emergencies and, in the event of an actual emergency, handle the situation.

Examples of incidents a response team might handle include

Hostile intrusions into the network by unauthorized people

Damaging or hostile software loose on a system or on the network

Personnel investigations for unauthorized access or acceptable use violations

Virus activity

Software failures, system crashes, and network outages

Cooperation with international investigations

Court-ordered discovery, evidentiary, or investigative legal action

Illegal activities such as software piracy

Managed Security Services

An information security provider for outsourced services may be needed if

Security expertise is not found in house

Security is required 24´7´365 while functionality may be required only for certain business windows (for example, 8 a.m. to 5 p.m.)

Vast amounts of data must be examined

Specialized skill sets are hard to find

Security Council, Steering Committee, or Board of Directors

A security council or steering committee, whose members include representatives from each major business department, provides a forum for information exchange that facilitates the job of the security practitioner and identifies business requirements to which the security organization should be privy.

Interaction with Human Resources

Human Resources departments need to provide required information about new hires.

HR also reports required information about terminations.

HR manages contractor information.

Summary

The CSRO or CISO is the highest level of security manager in midsize and larger businesses, with ultimate responsibility for all security efforts for the business.

Security functions include strategic positions such as management, architecture, and policy specialists, as well as operational positions such as administrators, analysts, and investigators. Other functions such as BCP, DR, and physical security may also reside within the information security organization, depending on the nature of the business.

In addition to these full-time roles, security response teams comprise collections of individuals from various parts of the business who are removed from their daily responsibilities and brought together to prepare, practice, and drill for emergencies. These are the people who handle emergencies when they arise.

A corporate security council or steering committee, whose members include representatives from each major department in the business that are stakeholders in the end result of the security program, provides a forum for information exchange and input into the decisions that shape the security program.

For those functions not staffed internally, MSSPs are an option. These outside firms are contracted by businesses to perform specific security tasks such as monitoring, alerting, and incident response. MSSPs can be less expensive, more efficient, and more effective.