CSE 3482

Introduction to Computer Security

Management of
Information Security

Instructor: Prof. P. Madani, Winter 2022

Credit: Prof. N. Vlajic
Learning Objectives

Upon completion of this material, you should be able to:

• List the key managerial roles and the main types of
managerial positions in an organization.
• Describe the POLC project management model.
• List and describe organizational/structural approaches
to information security.
• Explain the difference between security policy, standard
and procedure.
• Enlist different types of security policy that can be
found in an organization.
Required Reading

Computer Security, Stallings: Chapter 15

Management Definition
• Project Management Triangle –
triad of competing constraints
in management (i.e., quality) of
any project
Ø time available
Ø cost / budget available
Ø scope / set of goals to be achieved

Quality
Management Definition (cont.)
• Management – process of achieving certain
objectives given a set of constraints

• Manager – person assigned to handle multiple roles

necessary to achieve desired objective(s)
³ informational role: collect, process, use, provide information
that can affect the completion of the objective
³ decisional role: select among alternative approaches and
and resolve conflicts, dilemmas or challenges
³ interpersonal role: coordinate and interact with superiors,
subordinates, outside stakeholders and other parties that
influence or are influenced by the completion of the task

Examples: teacher, student, president, software developer

Management Definition (cont.)
Example: 3 managerial role categories

http://education-portal.com/academy/lesson/decisional-roles-in-management-types-
examples-definition.html
Management Definition (cont.)
represent organization/group
Example: Mintzberg’s 10 externally - formal head

Managerial Roles provide leadership to his group

interact with peers and people

from other organizations/groups

receive and collect information

disseminate special information

into organization/group

disseminate organization’s
information outside

initiate and plan the change –

take action to improve existing
operation

deal with problems & threats

decide where and how

organization’s resources will be
allocated
manage organization’s/
group’s main operation
http://www.flatworldknowledge.com/node/28989#web-28989
Management Definition (cont.)
³ Different managerial positions require different balance
of the 3/10 managerial roles.
³ at the top-level
managerial positions
interpersonal roles
(e.g., figurehead &
leader) are performed
more often

³ at the lower-level
managerial positions
decisional roles (e.g.
disturbance handler
& negotiator) are
Elementary Information Security, R. E. Smith, pp. 580 preformed more often
Management Process
• Four key stages of a management process: POLC Model

Project/Strategy
Formulation

Project/Strategy
Implementation
 Management Process (cont.)
1) Planning - deciding what needs to happen in the future
and generating adequate plans for action
Ø strategic planning – occurs at the highest levels of organization
and for a long period of time (5 or more years)
Ø tactical planning – focuses on production planning and integrates
organizational resources for an intermediate duration (1 – 5 years)
Ø operational planning – focuses on day-to-day operations of
local resources, and occurs in the present or in the short term

³ Planning process begins with creation of strategic plan for

entire organization/group. The resulting plan is then divided
up into planning elements for each sub-unit.
³ In planning, goals and objectives must be adequately set.
Ø goal – ultimate (end) result of a planning process
Ø objective – intermediate point that allows us to measure progress
towards the goal
Management Process (cont.)
Example: Strategic vs. tactical vs. operational plan in a
company that is moving it sales on-line …
Strategic plan: The company should derive most of its revenue
from E-Commerce and be 100% immune to
to DDoS attacks.
Tactical plan: 4 firewall should be purchased and set up in
in the next 6-12 months.
Operational plan: Identify most problematic traffic so as to aid
adequate setting-up of the firewalls …
Management Process (cont.)
2) Organizing - optimum structuring of resources to enable
successful carrying out of the plan; may include
Ø structuring of existing departments and their staff
Ø (new) staffing
Ø purchase and storage of raw materials
Ø collection of additional/specialized information

3) Leading / Directing - determining what specific steps need

to be done and getting people to do it; may include
Ø developing direction and motivation for employees
Ø supervising employee behavior, attendance, performance,
attitude
 Management Process (cont.)

4) Monitoring / Controlling - monitor progress towards

achieving the goal and make necessary adjustments
Ø ensure sufficient progress is made
Ø ensure plan is adequately implemented
Ø resolve any impediments to task/plan completion
Ø acquire additional resources, when necessary

³ Should the plan be found invalid in light of operational

reality of the organization, the manager should take
corrective actions.

Corrective actions =>

correct the performance or correct the objective.
 Management Process (cont.)
Example: Project management process - corrective actions
Plan: develop
100% secure
cryptographic
application
±D tolerance.

‘Beta version’
produced -
96% secure.

Cybernetic Loop:
Negative Feedback
Information Security
Management
Information Security Management
• Three common groups of managers:
³ Non-technical General Business Managers – articulate
and communicate organizational objectives and policy
³ IT Managers – support organization’s business objectives
by supplying and supporting appropriate IT infrastructure
³ Information Security Managers – protect organization’s
IT infrastructure and other information assets from many
threats they face
General
Managers

IT Managers Info Sec

Managers
Information Security Management (cont.)

³ Information Security management operates like all

other management units, employing common
management (POLC) methodology.
³ However, specific goals and objectives of Info. Sec.
management differ from those of IT and general
management.
³ Certain characteristics of Info. Sec. management
are unique to this community!

quality
Information Security Management (cont.)

• Goals of Info. Sec. vs. Goals of IT – not always in

complete alignment; sometimes in conflict

³ IT professionals focus on:

Ø cost of system creation & operation [ freeware vs. paid-softw. ]
Ø timelines of system creation [ web-server with no DMZ ]
Ø ease of system use for end-user [ single-factor authentic. ]
Ø quality of system performance (speed, delay, …) [ no firewall ]

³ Info. Sec. professionals focus on:

Ø protection of organization’s information systems at all
cost necessary
Information Security Management (cont.)
Example: Info. Sec. within an organization - Option 1:
Most Common
Information Security Management (cont.)

Example: Info. Sec. within an organization - Option 1

(cont.)

Most common organizational structure: in 50% of companies.

Info. Sec. under (reports to & shares budget with) IT depart.
³ pros:
Ø to whomever Info. Sec. manager reports to, understands
technological issues
Ø security staff and IT staff collaborate on day-to-day basis
Ø there is only ‘one person’ between Info. Sec. manager and CEO

³ cons:
Ø CEO are likely to discriminate against Info. Sec. function, as
other IT objectives (e.g. computer performance, ease of use, …)
often take precedence
Information Security Management (cont.)

Example: Info. Sec. within an organization - Option 2:

When Security Goes Beyond “Computer Security”
 Information Security Management (cont.)
Example: Info. Sec. within an organization - Option 2
(cont.)
Info. Sec. reports to Administrative Services Dep. – performs
services for all workers in the organization, much like HR.
³ pros:
Ø acknowledges that info. and info. systems are found everywhere
throughout the organization – all employees are expected to
‘work with’ Info. Sec. department
Ø supports efforts to secure information no matter its form (paper,
verbal, etc.) rather than viewing info. sec. function as strictly
computer- & network- related issues
³ cons:
Ø Administrative Services VP often does not know much about IT
and Info. Sec. – may not be effective in communicating with CEO
Ø often subject to cost-cutting measures
 Information Security Management (cont.)
Example: Info. Sec. within an organization - Option 3:
When Risk to Computer Security Þ Risk to Business
Information Security Management (cont.)
Example: Info. Sec. within an organization - Option 3:
(cont.)
Info. Sec. reports to Insurance & Risk Management Dept.
This approach typically involves assessing the extent/likelihood
of potential losses in case of weakened info. sec. function.
³ pros:
Ø brings greater resources and management attention to Info. Sec.
Ø Chief Risk Manager (CRM) is likely to be prevention oriented and
adopt a longer-term viewpoint
³ cons:
Ø CRM are often not familiar with information system technology
Ø may over-emphasize strategic issues, and overlook operational
and administrative aspects of info. sec. (e.g. change of access
privileges when people change jobs)
 Information Security Management (cont.)
Example: Info. Sec. in different companies
Which of the three discussed organizational models
would you deploy in which of the three companies?
Info. Sec. Info. Sec.
Info. Sec.
within Risk within Admin.
within IT
Management Services
should be employed in should be employed in companies
should be employed when
companies where it is critical to that may not worry about using the
company’s revenues critically
obtain/use latest technology, latest technology, but rather about
depend on CIA of information – if
and bulk of work done by Info. properly securing existing data and
information CIA gets jeopardized,
Sec. department is related to whatever technology (info.
company looses money
that (new) technology infrastructure) is currently in place

Hospital Amazon IBM

 Information Security
Structure / Organization
Info. Sec. Organization / Structure

• Factors Impacting Info. Sec. Organization:

³ Organization Culture
Ø if upper management & staff believe that info. sec. is waste
of time and resources, the info. sec. program will remain
small, poorly supported and have difficulty operating

³ Organization Size (and Budget)

Ø large organizations tend to have large(r) information security
programs; smaller organizations may have a single security
administrator

Although the size of an organization determines

the makeup of its information security program,
certain basic functions should be found in every organization.
Info. Sec. Organization / Structure (cont.)

Example: test your knowledge of security functions

http://academy.delmar.edu/Courses/ITSY2430/Labs/SecurityPolicyQuiz.html
Info. Sec. Organization / Structure (cont.)

• NIST Cybersecurity Framework: 22 Core Functions

Info. Sec. Organization / Structure (cont.)

• NIST Cybersecurity Framework: 22 Core Functions (cont.)

• Identify – help the organization understand its cyber-
security risks (to systems, assets, data) and how those
relate to the organization’s core business

³ Business Environment: understand and prioritize the role

and responsibility of cybersecurity team in the context of
organization’s main mission
Info. Sec. Organization / Structure (cont.)

• Identify – …
³ Governance: understand all the regulatory, legal, risk and
environmental constraints, and help shape adequate
cybersecurity policies, procedures, processes …
³ Asset Management: maintain inventory of all assets (data,
software, hardware, personnel …) within the organization
³ Risk Assessment: understand the specific cybersecurity
risks to organizational operations (including its mission,
functions, image, or reputation) and its assets as well as
its individuals
³ Risk Management: establish organization’s priorities,
constraints, risk tolerance, and assumptions to support
overall risk decisions
Info. Sec. Organization / Structure (cont.)

• NIST Cybersecurity Framework: 22 Core Functions (cont.)

• Protect – help the organization establish all necessary
information/computer security safeguards to ensure
delivery of critical (infrastructure) services

³ Access Control: limit access to information resources

and associated facilities to authorized users, processes
and devices
 Info. Sec. Organization / Structure (cont.)
• Protect – …
³ Awareness and Training: adequately train organization’s
personnel & partners so that they can perform their
information security-related duties and responsibilities
consistent with related policies, procedures & agreements.
³ Data Security: manage CIA of data (in motion and at rest)
in accordance to organization’s risk strategy
³ Information Protection Processes and Procedures:
manage protection of information & information systems in
accordance to established policies, processes & procedures
³ Maintenance: maintain & repair operational & information
system components in accordance to organization’s policies
& procedures (e.g., software & hardware updates)
³ Protective Technology: put in place & manage technical
solutions to ensure security & resilience of systems & assets
(e.g., antivirus, firewall, IDS, …)
Info. Sec. Organization / Structure (cont.)

• NIST Cybersecurity Framework: 22 Core Functions (cont.)

• Detect – identify occurrence of a cybersecurity events

evaluation of

³ Security Continous Monitoring: monitor information

systems and assets so as to be able to identify critical
cybersecurity events and verify the effectiveness of
current protective measures
Info. Sec. Organization / Structure (cont.)

• Detect – …

³ Anomalies and Events: detect in timely manner all

anomalous activities and determine their potential impact
(e.g., from individual logs and by cross-correlating data)
³ Detection Processes: maintain and test current detection
processes and procedures to ensure their effectiveness
(e.g., vulnerability testing)
Info. Sec. Organization / Structure (cont.)

• NIST Cybersecurity Framework: 22 Core Functions (cont.)

• Respond – take adequate action on a detected
cybersecurity event in order to contain its impact

should always come

before mitigation

³ Response Planning: develop, maintain & test response

processes and procedures to ensure timely response
Info. Sec. Organization / Structure (cont.)

• Respond – …
³ Communications: coordinate response activities with
internal and external stakeholders to include external
support from federal, state, and local law enforcement
agencies
³ Analysis: conduct analysis of notifications from detection
systems and understand the impact of the incident
(e.g., from the forensics perspective)
³ Mitigation: perform all adequate activities to prevent
expansion of an event, mitigate its effects, and eradicate
the incident
³ Improvements: improve organizational response activities
by incorporating lessons learned from current and previous
detection/response activities
Info. Sec. Organization / Structure (cont.)

• NIST Cybersecurity Framework: 22 Core Functions (cont.)

• Recover – restore capabilities and services impaired
by a cybersecurity event

³ Recovery Planning: develop, maintain & test recovery

processes and procedures to ensure timely restoration of
systems and assets affected by cybersecurity events
Info. Sec. Organization / Structure (cont.)

• Recover – …

³ Improvements: improve recovery planning and processes

by incorporating lessons learned
³ Communications: coordinate restoration activities with
internal and external parties, such as IPS, owners of
attacking systems, other victims, vendors …
Policy, Standard, Procedure

conceptual

Why ?
[Identified Issue & Scope]

What?
[assigns quantifiable
measures]
[Provides additional
recommended
guidance]
How?
[Establishes proper steps to
take]

hands-on
Security Policy
Policy, Standard, Procedure (cont.)

• Security Policy – foundation of an effective info.

security system/program
³ What is it?
Ø concise and easy to understand statement that:
(1) defines a set of conditions that are critical for protecting
organization’s assets, and its ability to conduct business
(2) defines general security practices that management
expects employees and other stakeholders to follow

³ Why do we need it?

Ø helpsorganizations demonstrate their commitment to
protect their information assets and/or comply with law
Ø heightens security awareness of company personnel or
third-party users/customers
Policy, Standard, Procedure (cont.)

Example: Organization without policy

Consider scenario:
An employee (A) behaves inappropriately at the work place, by
reading another employee’s email.
Another employee (B) is aggrieved by this behavior and sues the
company. The company does not have policy that prohibits such
behavior, hence no legal action against offender (A) can be
taken …
Nevertheless, company may be legally
obliged to protect the privacy of
employee B.
The company loses the lawsuit, and
lots of money L …
Policy, Standard, Procedure (cont.)

Although least expensive security protection,

Policies are often
most difficult to implement/enforce.

To ensure effectiveness,
failure to comply with a Policy
should imply a disciplinary action.
Policy, Standard, Procedure (cont.)

Example: Policy that is hard to implement

“Employees are not allowed to take out of the company’s
premise any IP-related documentation.”
Policy, Standard, Procedure (cont.)

• Security Standard – more specific directives that are

mandatory
³ describe what to do (or not do) to comply with the policy
³ also, extension of the policy into the real world –
specifies technology settings, platforms or behaviors
³ it is important to audit adherence to standards to ensure
their implementation

• Security Procedure – specify actual steps of how to

implement or comply with a standard
³ example:
Ø specific instructions on how to download and install centrally
managed antivirus software
Policy, Standard, Procedure (cont.)

Example: Policy vs. Standard vs. Procedure

Many Info. Sec. departments have specific protocols for
performing backups of server hard drives.

Policy: Describes the need for backups, for storage off-site,

and for safeguarding the backup media.

Standard: Defines the software to be used to perform

backups and how to configure this software (e.g. Acronis,
SmartSync, etc.)

Procedure: Describes how to use the backup software,

the timing for making backups, and other ways that humans
humans interact with the backup system.
http://christodonte.com/2009/05/relationship-between-a-policy-standard-guideline-and-procedure/
Policy, Standard, Procedure (cont.)

• Security Guideline – discretionary set of directives

designed to achieve a policy/security objectives
³ needed in complex & uncertain situations for which rigid

standards cannot be specified

³ examples:

Ø company might have a guideline that each new employee

should have a background check
Ø however, in an emergency, department head might be allowed
to hire a person before a background check is completed

• Security Recommended Practices – set of policies /

standards / procedures /guidelines recommended
by trade associations and government agencies
• Security Best Practices – descriptions of what best
firms in the industry are doing about security
Policy, Standard, Procedure (cont.)

Example: Microsoft – Best Security Practices

http://technet.microsoft.com/en-us/library/dd277328.aspx
Security Policy

• Important rule to follow when shaping a policy:

³ Policy should never conflict with existing law.
³ Policy must be able to stand up in court if challenged.
³ Policy must be properly supported and administered.

• For policies to be effective, they must be:

A. Developed using industry-accepted practices.
B. Distributed or disseminated using all appropriate methods.
C. Read by all employees.
D. Comprehended by all employees.
E. Formally agreed / complied to by act or affirmation.
F. Enforced and applied uniformly.
Security Policy: Development

A. Development of Security Policy - 5 stage process

³ A.1 Investigation Phase.
Ø Form the right policy design team consisting of representatives
from groups that will be affected by new policy (e.g. legal dept.,
HR, end users of various IT systems covered by policy)
Ø Make an outline of the scope and goals of the policy,
as well as the cost and scheduling of its implementation.
Ø Obtain general support from senior management. Without
enough attention, any policy has a reduced chance of success –
mid-management and users not likely to implement it.

³ A.2 Analysis Phase.

Ø Obtain all recent & relevant information - risk assessment,
IT audits, … - as well as other references (e.g. past law suits)
concerning positive / negative outcome of similar policies.
Security Policy: Development (cont.)

Why is Analysis Phase performed

after Investigation Phase?
Wouldn’t it be beneficial to approach the
management with already gathered
legal/audit (reference) information?

Sometimes policy documents that affect information

security is housed in the HR department, as well as
accounting, finances, legal, or corporate
security departments.
Security Policy: Development (cont.)

A. Development of Security Policy: 5 stage process (cont.)

³ A.3 Design / Distribution Planning Phase.

Ø Create a plan on how to distribute and verify the distribution
of the policy. (e.g. through internet or hard-copy form – may
impact the content of the policy)

³ A.4 Implementation Phase.

Ø Design team actually writes the policy.
Ø Can rely on existing policies found on the Web, Government
Sites, Professional Literature.

³ A.5 Maintenance Phase.

Ø Monitor, maintain, and modify the policy to ensure that it
remains effective as a tool against ever changing threats.
(ongoing process!)
Security Policy: Development (cont.)
Example: Policy templates
http://www.sans.org/security-resources/policies/
Security Policy: Distribution

B. Policy Distribution
³ Getting the policy document into the hands of all
employees may require a substantial effort / investment.
³ Techniques of distribution:
Ø hard-copy distribution
Ø bulletin-board distribution
Ø distribution via email
Ø distribution via intranet (in html or PDF form)

³ Organization must be able to prove distribution of the

policy document, e.g. via auditing log in case of electronic
distribution.
Security Policy: Distribution (cont.)
Security Policy: Reading & Comprehension

C. & D. Policy Reading and Comprehension

³ Policy must be written/presented in a way that all
employees can read and comprehend.
Ø illiterate or low-literate workers
Ø ESL workers
Ø visually impaired, etc.

Example: Importance of policy reading & comprehension

Assume an employee is fired for failure to comply with a policy.
If the organization cannot verify that the employee was in fact
properly educated on the policy, the employee could sue the
organization for wrongful termination.
Security Policy: Compliance

E. Policy Compliance
(Consequences of not complying with policy should be clearly
stated and agreed upon by the employees.)
³ Failure to agree to or follow a policy may jeopardize
organization’s interests and, thus, be sufficient to decide
on termination.
³ However, the legal system may not support such decision.
³ Organization can/should incorporate ‘policy confirmation’
statement into employment contract or annual evaluation.
Security Policy: Enforcement

F. Policy Enforcement
³ Because of potential scrutiny during legal proceedings,
organizations must establish high standards of policy
implementation.
Ø example: if policy mandates that all employees wear ID
badges in a clearly visible location, and some management
members decide not to follow this policy, any action taken
against other employees will not withstand legal challenges
Security Policy Categories

• Three types of security policies found in most

organizations:
1) Enterprise Information Security Policy (EISP)
2) Issue-specific Security Policy (ISSP)
3) System-specific Security Policy (SysSP)
Security Policy Categories: EISP

1) Enterprise Information Security Policy (EISP)

³ Aka as general security policy – sets strategic direction,
scope, and tone for all security matters and efforts.

³ Short (2 – 10 page) executive-level document usually

drafted by chief IT officer of the organization.

³ Common components of a good EISP:

Ø Statement of purpose – explains the intent of the document.
Ø States info. sec. philosophy for the given enterprise.
Ø Explains the importance of info. sec. for the enterprise.
Ø Defines the info. sec. organization/structure of the enterprise.
Ø Lists other standards that influence and are influenced by this
document.
Security Policy Categories: ISSP

2) Issue-Specific Security Policy (ISSP)

³ Provides detailed, targeted guidance concerning the use
of a particular process, technology or a system.

³ ISSP may cover one or more of the following:

Ø use of electronic mail
Ø use of the Internet and WWW

Ø use of company-owned computer equipment

Ø use of personal equipment on company networks
Security Policy Categories: ISSP (cont.)

2) Issue-Specific Security Policy (ISSP) (cont.)

³ Components of a typical ISSP :
1) Statement of Purpose
ü what is the scope of the policy
ü what technology and issue it addresses
ü who is responsible and accountable for policy implementation

2) Authorized Access and Usage

ü who can use the technology governed by the policy
ü what the technology can be used for
ü what constitutes ‘fair and responsible’ use of technology and
it may impact ‘personal information and privacy’

3) Prohibitive Use of Equipment - unless a particular use is clearly

prohibited, the company cannot penalize its employees for misuse
ü what constitutes disruptive use, misuse, criminal use
ü what other possible restrictions may apply
 Security Policy Categories: ISSP
2) Issue-Specific Security Policy (ISSP) (cont.)
³ Components of a typical ISSP :
4) Systems Management
ü which kind of authorized employer monitoring is involved
(e.g. electronic scrutiny of email & other electronic documents)

5) Violation of Policy
ü what specific penalties, for each category of violation, will apply
ü how to report observed or suspected violations – openly or
anonymously

6) Limitation of Liability – company does not want to be liable if an

employee is caught conducting illegal activity with company’s asset
ü how is liable if an employee violates a company policy or law
Security Policy Categories: SysSP

3) System-Specific Security Policy (SysSP)

³ Both EISP and ISSP are formalized as written documents
readily identifiable as policy.
³ SysSP has a look of a standard or a procedure to be used
when configuring / maintaining a system – intended for
(not regular users but) information security personnel
³ Managerial Guidance SysSP – created by management
to guide implementation / configuration of technology as
well as to address people behavior in ways to support
EISP and ISSP.
³ Technical Specifications SysSP – in some cases system
administrators need to create / implement their own
policy in order to enforce EISP, ISSP or managerial policy.
Security Policy Categories: SysSP (cont.)

Example: EISP vs. ISSP vs. Managerial SysSP

EISP: Company’s IT system should only be used to

access and/or exchange corporate information.

ISSP 1: Email server should/will discard/quarantine all

emails with non-corporate sender/receiver
email addresses.
ISSP 2: Firewall should/will be set in a way to prevent
access to outside web-sites.

Managerial
SysSP: All outgoing IP packets carrying HTTP content
and port numbers x, y, z should be dropped.