Information Security Management Assurance

(ISM811S
Chapter 1 – Introduction to Information Management and Assurance
Dr Mercy Chitauro
 Outline
1. What is Security
2. What is Management
3. Principles of Information Security
4. Project Management
5. Homework
 Learning outcomes
• Identify vital organisational stakeholders
involved in information security
planning;
• Discuss information security planning in
the context of the organisation and IT
strategic planning;
• Discuss information security governance
and how to implement it;
• Implement an information security
program.
 Introduction

Planning:
• Is creating action steps toward goals, and
then controlling them
• Provides direction for the organization’s
future

Top-down method:
• Organization’s leaders choose the direction
• Planning begins with the general and ends
with the specific
Information Security
Planning
 Information Security Committee
• Information security committee
– Employees
– Management
– Stockholders
– Other outside stakeholders
 Introduction
Organisational leadership

Security Committee

Set steps towards infosec goals

General objectives

Specific objectives
 Precursors to planning
• Effective planning should be accompanied by
a vision, mission, and value statements.
• They convey the ethical, entrepreneurial, and
philosophical management approaches of the
organisation.
 • Mission statement:
– Declares the business of the organization
and its intended areas of operations
– Explains what the organization does and for
whom
– Example: Random Widget Works, Inc.
The Mission designs and manufactures quality widgets,
Statement associated equipment and supplies for use in
modern business environments
– Many organisations require each division
including infosec to to generate their own
mission statement
– Vision states where the organisation wants
to go and mission statement describes how it
wants to get there
 Mission/Vision
Statement
• Mission statement:
– Declares the business of the organization and its intended areas of
operations
– Explains what the organization does and for whom
– Example: Random Widget Works, Inc. designs and manufactures
quality widgets, associated equipment and supplies for use in modern
business environments
• Vision statement:
– Expresses what the organization wants to become
– Should be ambitious
– Example: Random Widget Works will be the preferred manufacturer of
choice for every business’s widget equipment needs, with an RWW
widget in every machine they use
 Values statement

This is set of organisational principles and qualities that dictate

decisions and behaviours of the people inside the organisation.
They communicate conduct, performance standards and what is
important to the organisation to its customers, employees, external
stakeholders, and the public.

Example: RWW values commitment, honesty, integrity and social

responsibility among its employees, and is committed to providing
its services in harmony with its corporate, social, legal and natural
environments

The mission, vision, and values statements together provide the

foundation for planning
 Lets get back to
planning…
• Human resources
• Legal department .
• Individual business unit representation
• Compliance department
• IT department
• Security Officer (CISO)
 Information security
organisational hierarchy
Planning Hierarchy
 Infosec Concepts
Establishing security policies and procedures;

Effectively deploying servers, workstations, and network devices to reduce

downtime;

Ensuring that all users understand the security responsibilities and reward
excellent performance;

Establishing a security organisation to manage security enterprise-wide;

Ensuring effective risk management so that risks are effectively understood

and controlled.
 Tactical Planning

• Shorter in length than strategic plans

usually between 1 to 3 years.
• Incremental objectives which are
specific and may have specific projects
aligned to the plans.
• CISOs must organize, prioritize, and
acquire resources necessary for the
major projects and to provide support
for the overall strategic plan
 Ex. Tactical Goals
Establish an electronic policy development and distribution process;

Implementing robust change control for the server environment;

Reduce vulnerabilities residing on the servers using vulnerability

management;

Implementing a “hot site” disaster recovery program;

Implementing an identity management solution.

 Operational Planning

• Operational plans result from tactical

plans and are short term plans to
organise day-to-day running and specific
direction for completion of projects
 Ex. Operational Goals
Conduct security
risk assessment;
Develop security policies
and approval processes;
Develop technical infrastructure to
deploy policies and track compliance;
Train end-users
on policies;
Monitor
compliance
 Operational Planning
• Governance: The set of responsibilities and practices
exercised by the board and executive management
with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining
those risks are managed appropriately, and verifying
that the enterprise's resources are used responsibly
(Whitman & Mattord, 2019).
• Governance, risk management, and compliance
(GRC): An approach to information security strategic
guidance from a board of directors or senior
management perspective that seeks to integrate the
three components of information security
governance, risk management, and regulatory
compliance (Whitman & Mattford, 2019).
 Key Points
• Strategic planning outputs the long-term
direction (strategy) to be taken by an
organisation, and the allocation and
acquisition of resources needed to pursue this
effort whilst
• governance outputs responsibilities
(accountability, who does what, who to report
to) and assurance that information security
strategies are aligned with and support
business objectives.
• compliance ensures the objectives to be
achieved adhere to applicable, laws and
regulations through policies and internal
controls
Questions?
?

22
 13 Storch Street T: +264 61 207 2258
Private Bag 13388 F: +264 61 207 9258
Windhoek E: fci@nust.na
NAMIBIA W: www.nust.na

Thank You.