Professional Documents
Culture Documents
CSE3482 2022 SecurityManagement
CSE3482 2022 SecurityManagement
CSE3482 2022 SecurityManagement
Management of
Information Security
Quality
Management Definition (cont.)
• Management – process of achieving certain
objectives given a set of constraints
http://education-portal.com/academy/lesson/decisional-roles-in-management-types-
examples-definition.html
Management Definition (cont.)
represent organization/group
Example: Mintzberg’s 10 externally - formal head
disseminate organization’s
information outside
³ at the lower-level
managerial positions
decisional roles (e.g.
disturbance handler
& negotiator) are
Elementary Information Security, R. E. Smith, pp. 580 preformed more often
Management Process
• Four key stages of a management process: POLC Model
Project/Strategy
Formulation
Project/Strategy
Implementation
Management Process (cont.)
1) Planning - deciding what needs to happen in the future
and generating adequate plans for action
Ø strategic planning – occurs at the highest levels of organization
and for a long period of time (5 or more years)
Ø tactical planning – focuses on production planning and integrates
organizational resources for an intermediate duration (1 – 5 years)
Ø operational planning – focuses on day-to-day operations of
local resources, and occurs in the present or in the short term
‘Beta version’
produced -
96% secure.
Cybernetic Loop:
Negative Feedback
Information Security
Management
Information Security Management
• Three common groups of managers:
³ Non-technical General Business Managers – articulate
and communicate organizational objectives and policy
³ IT Managers – support organization’s business objectives
by supplying and supporting appropriate IT infrastructure
³ Information Security Managers – protect organization’s
IT infrastructure and other information assets from many
threats they face
General
Managers
quality
Information Security Management (cont.)
³ cons:
Ø CEO are likely to discriminate against Info. Sec. function, as
other IT objectives (e.g. computer performance, ease of use, …)
often take precedence
Information Security Management (cont.)
• Identify – …
³ Governance: understand all the regulatory, legal, risk and
environmental constraints, and help shape adequate
cybersecurity policies, procedures, processes …
³ Asset Management: maintain inventory of all assets (data,
software, hardware, personnel …) within the organization
³ Risk Assessment: understand the specific cybersecurity
risks to organizational operations (including its mission,
functions, image, or reputation) and its assets as well as
its individuals
³ Risk Management: establish organization’s priorities,
constraints, risk tolerance, and assumptions to support
overall risk decisions
Info. Sec. Organization / Structure (cont.)
evaluation of
• Detect – …
• Respond – …
³ Communications: coordinate response activities with
internal and external stakeholders to include external
support from federal, state, and local law enforcement
agencies
³ Analysis: conduct analysis of notifications from detection
systems and understand the impact of the incident
(e.g., from the forensics perspective)
³ Mitigation: perform all adequate activities to prevent
expansion of an event, mitigate its effects, and eradicate
the incident
³ Improvements: improve organizational response activities
by incorporating lessons learned from current and previous
detection/response activities
Info. Sec. Organization / Structure (cont.)
• Recover – …
conceptual
Why ?
[Identified Issue & Scope]
What?
[assigns quantifiable
measures]
[Provides additional
recommended
guidance]
How?
[Establishes proper steps to
take]
hands-on
Security Policy
Policy, Standard, Procedure (cont.)
To ensure effectiveness,
failure to comply with a Policy
should imply a disciplinary action.
Policy, Standard, Procedure (cont.)
http://technet.microsoft.com/en-us/library/dd277328.aspx
Security Policy
B. Policy Distribution
³ Getting the policy document into the hands of all
employees may require a substantial effort / investment.
³ Techniques of distribution:
Ø hard-copy distribution
Ø bulletin-board distribution
Ø distribution via email
Ø distribution via intranet (in html or PDF form)
E. Policy Compliance
(Consequences of not complying with policy should be clearly
stated and agreed upon by the employees.)
³ Failure to agree to or follow a policy may jeopardize
organization’s interests and, thus, be sufficient to decide
on termination.
³ However, the legal system may not support such decision.
³ Organization can/should incorporate ‘policy confirmation’
statement into employment contract or annual evaluation.
Security Policy: Enforcement
F. Policy Enforcement
³ Because of potential scrutiny during legal proceedings,
organizations must establish high standards of policy
implementation.
Ø example: if policy mandates that all employees wear ID
badges in a clearly visible location, and some management
members decide not to follow this policy, any action taken
against other employees will not withstand legal challenges
Security Policy Categories
5) Violation of Policy
ü what specific penalties, for each category of violation, will apply
ü how to report observed or suspected violations – openly or
anonymously
Managerial
SysSP: All outgoing IP packets carrying HTTP content
and port numbers x, y, z should be dropped.